THE Palace came under fire Friday after internet users said they found proof that it was spreading hacked data containing the personal information of millions of registered voters.
A lawyer specializing in media law, Marlon Anthony Tonson, posted a screenshot on his Twitter account that showed a server used by the Palace, mail.malacanang.gov.ph, was among those seeding the hacked Commission on Elections database.
“Now who’s the idiot from Malacañang seeding the internet with the private information of registered voters from the #COMELEAK large-scale data breach?,” he posted.
On Thursday, unknown hackers created a website with a search engine to make the stolen voter data easily accessible—and searchable—by anyone with internet access.
The hacked database—including a 312-gigabyte archive file—is now available through BitTorrent, a peer-to-peer file-sharing system in which people downloading huge files are also making them available to others at the same time, in a process called seeding.
The screenshot posted by Tonson showed that the Palace mail server was among the seeders of the stolen database.
Another Twitter user posted a similar screenshot.
“The government, while obtaining a copy for themselves, contributes to the sharing, making it more accessible,” Edward Victor Tan said in his Twitter account,
Earlier, Comelec spokesman James Jimenez said the site set up by the group LulzSec Pilipinas that was hosted in Russia had already been taken down.
But security experts said this was too late, as copies of the database had already been exposed and circulated in that time.
Militant lawmakers, meanwhile, denounced the Comelec’s “lackadaisical” response to the massive voter data leak that leaves millions of registered voters vulnerable to identity theft and that could jeopardize the integrity of the May 9 elections.
“The massive data breach has manifold ramifications to all affected voters, yet the most insidious among these is the fact that unscrupulous groups—especially those currently in power—can use the data trove to commit automated electoral fraud of a scale unparalleled since the advent of automated polls,” Kabataan party-list Rep. Terry Ridon said as he joined several leftist groups who picketed the Comelec head office in Intramuros to denounce the data breach.
“With… sensitive personal information of [millions of] voters now uploaded on the internet and even searchable through a new search engine that sprouted recently, we cannot emphasize enough how the so-called ‘Comeleaks’ totally compromises the integrity of the upcoming elections,” Ridon said.
Bayan Muna party-list Rep. Neri Colmenares hit the Comelec for its criminal neglect and incompetence, which allowed a massive leak of its voter database. The data stolen—then later posted by the hackers on a public website—included sensitive information on registered voters, including their home addresses, birthdates, and passport numbers.
Colmenares slammed the Comelec for the security breach.
“Not only was the Comelec website easily hacked, the culled data was also uploaded to a website and exposed the sensitive and personal information of millions of Filipino voters to identity thieves and other predators. All cases of identity theft now could be blamed on the Comelec,” Colmenares said.
“The Comelec has utterly failed in its obligation to protect the fundamental human right of privacy of the Filipino people. The situation endangers the security, life and property of each one of us,” Colmenares added.
Under the Data Privacy Act or RA 10173, Colmenares said it is the responsibility of the head of the agency to ensure that sensitive and personal information it maintains remain secure, using the most appropriate ICT standards.
“Under the same law, negligence of the agency resulting in a large-scale breach is punishable by imprisonment of up to six years, fine and disqualification to hold public office. The agency must also be held accountable for concealment of this security breach, which is likewise punishable by imprisonment, fine and disqualification,” Colmenares said.
“The extent of the data breach is in the hundreds of thousands at the least so the maximum penalty may be meted to those responsible. I would not be surprised if the Comelec would face a lot of lawsuits after this,” Colmenares said.
A group identifying itself as Anonymous Philippines defaced the Comelc website on March 27 to call on the poll body to implement security features in the vote-counting machines that will be used in the May 9 elections.
Another group, LulzSec Pilipinas, then uploaded what it claimed to be the Comelec’s whole database consisting of 340 gigabytes of data.
While the Comelec earlier downplayed the effects of the data leak, internet security software company Trend Micro said that about 1.3 million records of overseas Filipino voters.
The cybersecurity firm also warned that the data dump may also include—albeit in encrypted format—personal data of the 55- million registered voters in the Philippines, possibly making the leak one of the “biggest government-related data breaches in history,” surpassing the hack of the US Office of Personnel Management in 2015.
Comelec spokesman James Jimenez said the website containing the leaked data had been taken down less than 24 hours after it went online.
“As soon as we found out about that website, we referred it to [the] NBI to take [it] down,” Jimenez told GMA News.
He said the website had been hosted on a server in Russia, but the government was able to contact the hosting company and have them take the site offline with some help from US authorities.
“As of this morning (Friday), the NBI has informed me that they have taken down the website, after the Cybercrime department of the Justice department contacted its counterpart in the US,” Jimenez said.
Jimenez also said that the government is already tracking down and deleting copies of the information online.
Security experts, however, said the damage had been done, and that the data may have already been copied countless times.
They also said it was unlikely that the stolen data could be used for electoral fraud, but it could expose millions to cybercrimes such as phishing and identity theft.
The NBI said it was open to obtaining information from the hacker who was arrested Thursday, Paul Biteng, 20, of Sampaloc, Manila.
“Right now, we don’t entertain deals with the suspect, but if he will give us information freely, why not?” said Ronald Aguto Jr., head of the NBI Cybercrime Division.
Biteng has been charged with violating the Cybercrime Prevention Act, which deals with confidentiality, integrity and availability of computer data and systems.
The NBI arrested Biteng based on a search warrant issued by a Manila regional trial court, and came after three weeks of surveillance.
“We are working some leads and we are now conducting forensic examination of the computer used by the suspect. We’re hoping that we are getting good leads,” Aguto said.
He also ruled out a connection between the release of the voters’ data to Biteng’s arrest.
So far, Aguto said, no politicians or other prominent individuals have been tied to the case.
“Based on our initial investigation, there is no politician involved... In fact, he used an old computer and he claimed it was given by a friend. If he was being used by a politician or if somebody organized this, his equipment would be top of the line,” he said.
In 2000 when hacking was not yet a crime, AMA computer college student Onel de Guzman was placed under investigation after he allegedly invented the “I Love You” virus which reportedly caused damage worth between $5.5 billion and $8.7 billion worldwide.
Candidate for vice president Senator Ferdinand Marcos Jr. on Friday urged the NBI to make the investigation swift, to hold the culprits accountable and to make sure that they will not be able to do anything to the data that they were able to copy from the Comelec.
The senator expressed alarm over the hacking of the voters’ list, saying the incident puts the credibility of the elections on the line.
“The Comelec should treat this as a dangerous security breach because voters’ data are made accessible to the public,” Marcos said.
Social media was abuzz Thursday afternoon when the website wehaveyourdata.com uploaded what appeared to be the details of the registered voters from the Comelec website.
The Palace on Friday condemned the cyber attack on the Comelec.
“Government strongly condemns the latest cyber attack on the website of Comelec. Concerned government agencies, including the DOST-Information and Communications Technology Office (ICTO), are closely coordinating with the Comelc, to further strengthen its security protocols,” said Communications Secretary Herminio Coloma, Jr., in a statement.
He said the integrity of the automated election system would not be affected by the latest cyber attack.
“We share the public’s concern on the ill-effects of this act,” Coloma said.
“Government is determined to ensure that similar acts will not be repeated in the future and that the perpetrators will be prosecuted in accordance with law,” said Coloma.
Comelec Commissioner Rowena Guanzon earlier raised the question of accountability with her colleagues during meetings of the poll body.
“I don’t know if heads should roll, but I think that we have to call the director of ITD (Information Technology Department) to explain why this happened and what do they intend to do to make our website more secure,” Guanzon said when asked if certain people should be fired.
“If there is gross neglect, that is a ground (for dismissal) under civil service rules,” she added.
The Comelec, through its spokesman as well as Chairman Andres Bautista, have apologized for the release of sensitive information about millions of registered voters.
The camp of administration candidate Manuel Roxas II said he would never be behind any move to leak sensitive information to compromise the integrity of the elections.
“Mar [Roxas] was also the victim of cheating in 2010—we will never allow anyone else to experience this and thwart the voice of the people,” Rep. Barry Gutierrez, a spokesperson for Roxas, said.
“It is not right to link this and allegations of cheating to the Daang Matuwid Coalition. This issue should not get politicized. We are all affected by theset,” he added.
Militant groups on Friday accused Roxas and the Liberal Party of being in the best position to take advantage of the polls by inflating votes for the administration bet using the hacked data trove.
“Who’s in the best position to commit such massive electoral fraud? The ruling Liberal Party of course, with its current unparalleled command of government funds and resources,” Ridon said in a statement Friday.
Ridon fear that the recent data dump can be used to manage the results of the polls.
“This is alarming. Whose stopping anyone with enough resources to print millions of fake IDs based on the information in the data dump to hack the upcoming polls? Worse, anyone with the technical capability can write a program that can use the data dump to inflate votes automatically,” he added.
Gutierrez however, said administration critics should not resort to “fear mongering.”
“We also ask our people—take measures to protect their personal information, but don’t easily believe fear mongering of others. If we think carefully, those who offer a solution to the fear are the ones who started the fear in the first place,” he said. – With Joel E. Zurbano, Sandy Araneta and John Paolo Bencito