IF you’re a registered voter, you need to worry.
Contrary to the assurances offered by the Commission on Elections (Comelec), the March 27 data breach it suffered exposes you to identity theft, fraud, extortion and other serious crimes that can put you and your family in harm’s way.
The trouble began just before midnight on March 27, when the hacker group Anonymous Philippines defaced the Comelec website and demanded that it activate the security features of the vote counting machines that will be used in the May elections.
Hours later, more serious damage was done by a second group calling itself Lulzsec Pilipinas, posted an online link to what it claimed was the entire Comelec database that it had obtained through the website. The 338GB database contains 75.3 million individual entries, 55 million of which roughly correspond to the number of registered voters in the country.
“A great lol to Commission on Elections, here’s your whoooooole database,” LulzSec Pilipinas wrote in a Facebook post.
In the wake of the massive data breach, Comelec officials played down the significance of the hack.
A spokesman said the information on the website did not contain “any sensitive information” that would affect the outcome of the May 9 elections—completely overlooking the possible dangers that 54 million voters face from having their personal data exposed.
But the security company Trend Micro said the hack contained a huge amount of highly sensitive personal data, including names, home addresses, birthdays, and even fingerprints of 15.8 million people, and the passport numbers of 1.3 million overseas voters.
“With 55 million registered voters in the Philippines, this leak may turn out as one of the biggest government-related data breaches in history, surpassing the Office of Personnel Management hack last 2015 [in the United States] that leaked [personally identifiable information], including fingerprints and social security numbers of 20 million US citizens,” the company said.
Contrary to the Comelec claims, Trend Micro said, its research showed that massive records of personally identifiable information, including fingerprints data were leaked. Included in the data was a list of Comelec officials that have admin accounts.
“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone,” the company added.
On April 21, hours after police arrested a 20-year-old hacker suspected of defacing the Comelec website, Lulzsec Pilipinas struck again, uploading the Comelec database to a searchable website it called “Philippines, we have your data.” While the site has since gone offline, copies of the database are now being distributed over the BitTorrent file sharing system—making it impossible to put the genie back into the bottle.
Some IT experts believe the hacked data can’t be used to affect the outcome of the elections, but the poll watchdog group Kontra Daya says the personal information could be used for intimidation or vote buying.
While the jury is still out on this, what is crystal clear is that every registered voter is now at risk.
“Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion,” Trend Micro warned.
In previous cases of data breach, the company added, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for phishing and other e-mail scams, blackmail and extortion.
Recognizing the dangers, the central bank has issued a memo ordering banks to be “more alert in establishing the true identity of customers.”
“Customer identification procedures of… financial institutions that rely on static information which may be obtained from the disclosed Comelec records should be supplemented by requests for additional proof or secondary information to establish the true identity of new and existing clients,” the central bank memo said.
The Bankers Association of the Philippines also advised its members to put safeguards in place to protect their clients, since many banks use personal information for verification purposes.
Despite the real dangers involved, the issue doesn’t seem to be stirring up the kind of public outrage it deserves.
That may change, however, as election watchdogs and IT groups talk about a class action suit against the Comelec for failing to protect our private information.
On Reddit, user jcgurango agreed.
“The Comelec didn’t take the steps to secure your data. If anybody is liable to pay anything it’s them, simple as that,” he said.
Another user, kcoako, asked the question that was on my mind: “How are people not talking about this more?”
Column archives and blog at: