THE Commission on Elections is facing a class action suit for failing to secure the personal data of some 55 million registered voters, which were stolen by hackers and made publicly accessible on the internet.
During a forum on “Hacking the Philippine Electoral System,” several information technology groups vowed to sue the Comelec, saying the poll body should be held accountable for the data breach.
The groups criticized the Comelec for its failure to institute the needed security for its IT infrastructure, thus allowing hackers to gain access to the sensitive information.
Apart from the names, addresses, birthdays, civil status and passport numbers, other sensitive data relevant to the Comelec’s pending cases and even cash advances allegedly became downloadable through the BitTorrent file sharing scheme and accessible to just about anyone on the web.
Information security consultant Isaac Saab of Pandora Security Labs lamented that the Comelec did not undertake the three basic steps to tightly secure the privacy of the voter’s information.
“First, they should use a more robust, upgraded system. The present one was apparently too rudimentary. Then, there’s auditing the system. You should keep monitoring your system. And, third, there’s the exercise of due diligence so as not to lower your guard,” Saab said.
The IT groups signed a manifesto indicating their unity to collectively monitor the Comelec’s actions, especially with regard to safeguarding the security of voters’ identity.
A potentially disastrous data breach such as the one that hit the Comelec cannot be ignored and those responsible for it should be held liable, they said.
“Somebody should be held accountable, and that’s the Comelec,” said Tonyo Cruz of the group TXTPower.
The IT groups also called on the victims of the identity theft to file similar action against the Comelec for its negligence.
“We are calling for a class suit. We are not sorry for taking legal action against Comelec, because they are the very reason for the litigation,” Cruz said.
Toby Purisima, a cybercrime lawyer, said that legal action can be initiated against the Comelec under the Data Privacy Act.
In this particular incident, Purisima said a betrayal of public trust should be considered.
“Betrayal of public trust is an impeachable offense,” which is applicable to the chairman and commissioners of the Commission on Elections, he said.
Besides, candidates who lose the May 9 elections may use the hacking incident as ground for contesting the results or seek a failure of election, said Reginald Tongol, former assistant Cabinet secretary in the Presidential Communications Department and Strategic Office.
Senate President Pro Tempore Ralph Recto on Sunday called on the executive department to expedite the formulation of the country’s National Cybersecurity Plan and hire, the soonest time possible, “bored” Filipino IT experts as “cyber-commandos.”
Recto issued the appeal after a 20-year-old fresh IT graduate who was arrested for hacking the Comelec website and admitted to the crime and claimed he did it out of boredom.
“Instead of wasting their talents, these talented Filipino internet experts should be employed by the executive department as white hat hackers to protect us from real cyber-criminals,” said Recto, principal sponsor of the Congress-approved bill creating the Department of Information and Communications Technology.
Recto said the DICT law mandates the creation of a “Cybercrime Investigation and Coordination Center.”
The DICT will also be tasked to formulate the “National Cybersecurity Plan” and form the “National Computer Emergency Response Team,” which, Recto said, will serve as “our IT Special Action Forces or cyber-commandos.”
“This should be our priority, the formulation of a National Cybersecurity Plan. Hacking is now a serious security threat, not only in the Philippines but also in the global arena,” Recto said.
“What we have is a Balkanized system. Personnel investigating cybercrimes are so few and, worse, dispersed among government offices despite the increasing volume of transactions in all kinds of commerce being done online,” Recto said.
He cited the case of the Philippine National Police-Anti-Cybercrime Group (PNP-ACG), which has a personnel complement of 110, “and this in a country where 70 million have social media presence.”
The National Bureau of Investigation, he said, is another frontline office which needs more ICT investigators and equipment to flag cybercrimes and tag those behind them.
“We now live in an era when terrorists don’t have to blast bank doors to do mayhem; but simply unleash a virus that could shred or suck out financial data. An enemy with a missile is as dangerous as one with malware,” he said. “Countries we are not so friendly with may target us and criminals will always want to hack their way to our financial system.”
He said the hack-attack on Bangladesh Bank shows that the threat is real and that counter-measures against cybercrime are urgent.
“The poor man’s ATM is vulnerable to hacking, too. There are identity thefts victimizing ordinary people,” Recto said, citing “2014-2015 Cybercrime Report” prepared by the Justice Department, which ranked the Philippines 39th among countries with internet threat activities.
The PNP-ACG recorded an increase of 113 percent in cybercrime statistics from 288 incidents in 2013 to 614 incidents in 2014.
The senator said the Bangko Sentral ng Pilipinas reported 2,872 cases of ATM fraud during that period.
The growing menace of cybercrime, “and the jobs that the ICT sector can bring,” Recto said, should prod congressional and executive leaders to work for the immediate enactment of the DICT bill and thereafter implement it without delay. With Sandy Araneta
Recto said government can start organizing hack-fests, a competition to probe government websites for weaknesses.
In addition to auditing the security features of these portals, these hack-fests can serve as recruiting fairs for would-be government IT workers.
“An idle mind is the devil’s workshop and idle hands his tool. Let us put the mind and the hands of the Filipino hackers to good use through the DICT,” the senator added.
Malacañang said Sunday the Comelec is conducting appropriate measures to ensure the integrity of the automated election system, amid the recent hacking of the poll body’s website and leaking of voter data.
“It is the role of the Commission on Elections to ensure the integrity and order of the upcoming elections,” said Communications Secretary Herminio Coloma Jr., chief of the Presidential Communications Operations Office, during an interview over state-run radio station dzRB Interview.
“The government trusts that the Comelec is conducting appropriate measures to further strengthen the integrity of the automated election system to be used in national elections on May 9,” Coloma said.
“Yesterday [Saturday] the Comelec again conducted a simulation of the actual election or mock election to promptly identify and address possible hitches that may occur during Election Day,” Coloma also said.
Comelec spokesman James Jimenez said the agency could protect the voters on May 9 despite the hacking of their website.
He assured voters that the information in their website does not contain information that would affect their votes.
He said, the Comelec will use a different website during Election Day on the poll result reporting. With Sandy Araneta