Comelec Commissioner Rowena Guanzon, who is retiring next month after a seven-year term, denied Wednesday the poll body’s systems were hacked which allegedly compromised sensitive data as claimed by an English language broadsheet report Monday.
“FAKE NEWS: Comelec server was hacked, not true. Manila Bulletin editor must verify,” Guanzon said in a tweet.
On Monday, MB reported its Technews Team had verified information from an unnamed source about the supposed hacking that took place Saturday.
“[T]he hackers’ group managed to breach the system of the Comelec last Saturday, Jan. 8, 2022, and download files that included, among others, usernames and PINS of vote-counting machines (VCM),” the article read.
The article claimed hackers also took network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with login and password.
Comelec spokesman James Jimenez himself questioned the veracity of the report because it did not elaborate on the “verification” process it supposedly carried out to confirm the alleged hacking.
“We invite the authors to shed light on their allegations, particularly with regard to the ‘verification’ they claim to have carried out,” Jimenez said.
On Wednesday, the National Privacy Commission issued separate orders to the Comelec, MB tech editor Art Samaniego and Manila Bulletin to appear for a “clarificatory” meeting via teleconference on Jan. 25 regarding the supposed data breach.
In a statement Wednesday, Privacy Commissioner John Henry Naga said: “The NPC’s Complaints and Investigation Division commenced its own independent investigation and issued a notice to Comelec requiring them to explain the alleged hacking and data breach.”
He said the Comelec “must address the serious allegations” to determine whether personal data were compromised or processed in connection with the upcoming 2022 national and local elections.
“Comelec is also directed to conduct a comprehensive investigation on the matter and submit to the NPC the results thereof no later than January 21, 2022,” Naga said.
He assured the public that the NPC does “not tolerate any act in violation of the Data Privacy Act” such as negligence in implementing organizational, physical, and technical security measures on personal data processing systems, whether in government or private institutions.