Comelec withholds P90M for VCMs until cleared of data breach
The Commission on Elections (Comelec) is withholding payment of P90 million to its technology service provider Smartmatic because of a data breach uncovered in March, the poll body’s chairman Saidamen Pangarungan said Tuesday.
“We want to clear this matter about this leakage of some data,” said Pangarungan who attended a hearing of the Senate committee on electoral reforms and people’s participation.
The committee, chaired by Senator Imee Marcos, is looking into the reported data breach.
Pangarungan, who was appointed by President Duterte in March, said the Comelec would wait for the findings of the National Bureau of Investigation’s (NBI) probe before deciding what to do with its contract with Smartmatic.
He said this would include the possible sanctions against the company for any contract violations.
If it is shown that Smartmatic committed violations, its contract would be terminated, the Comelec chairman said.
Other sanctions, he said, include the possible blacklisting, forfeiture of performance security, damages pursuant to the Data Privacy Act and Civil Code of the Philippines, and the filing of criminal cases.
“So far, we have not put in any of these except to withhold payment to Smartmatic. I have not signed the voucher for the payment to Smartmatic in the amount of P90 million pursuant to our contract because we want to clear this matter about this leakage of some data,” he told the Senate hearing.
He said the P90 million was supposed to be part of the third tranche in the Comelec’s payment to Smartmatic that was due in early March.
Smartmatic legal counsel Christian Robert Lim, former acting Comelec commissioner, said the company was “cooperating in any way possible” with the NBI. He confirmed the withholding of the payment.
Marcos, the sister of presidential candidate Ferdinand “Bongbong” Marcos Jr., has rejected calls by a poll watchdog to resign as chairman of the Senate panel in view of her ties to the Marcos campaign.
At the same hearing, the NBI said the former Smartmatic employee implicated in the security breach was promised up to P300,000 in exchange for access to his company’s laptop.
NBI Cybercrime Division (CDD) chief Victor Lorenzo said Ricardo Argana of Smartmatic admitted during an administrative inquiry on Jan. 12 that he shared his credentials with an unknown third person he met on Messenger in exchange for “free lectures.”
Argana later on admitted that he was also promised from P50,000 to P300,000.
“In the administrative inquiry conducted by Smartmatic, he only admitted having been promised training modules in exchange for allowing them, the third party, to access his laptop in order to be connected to the Smartmatic facilities,” Lorenzo said.
“But, when he appeared in our office, he admitted that he was also promised, aside from training modules, he was also promised money ranging from P50,000 to P300,000,” he added.
In his presentation of the timeline of events, Lorenzo said Argana brought home his company laptop on Dec. 29, 2021 during the completion of tests in the Comelec warehouse. He returned it on Jan. 3, 2022.
He said there was an “unusual traffic and downloads logged in SMMT Systems” recorded from Dec. 28, 2021 to Jan. 2, 2022. The activity was traced to Argana, he added.
Lim admitted to this “unusual traffic,” saying there was “unusual heavy access of files” on the company’s internet server.
Lorenzo said that on Jan. 14, a certain XSOS Group sent an e-mail to Smartmatic claiming that it had infiltrated networks and exfiltrated its inner documentation. In the same email, XSOS was said to have offered to provide prevention services to Smartmatic.
On Jan. 16, XSOS sent another email threatening to send the files that it allegedly obtained to the Congress and the media.
Lorenzo noted that XSOS made four Facebook groups on Jan. 19, March 23, March 26, and April 15 and uploaded pictures of files allegedly taken from Smartmatic’s systems.
The NBI-CCD searched Argana’s residence and found his smartphone and some SD cards hidden in a room’s ceiling.
After the incident, Lim said the company has adopted a “more stringent approach” in screening employees, and are now requiring them to leave their laptops in the offices.
A total of 720 counts of unlawful access were filed against Argana, who is still at large, the NBI said.
Lim also said Smartmatic is now contemplating filing a civil case for damages against Argana.