ONE of the Internet Protocol addresses that were used in “the worst recorded breach on a government-held personal database in the world” last March was traced to the National Bureau of Investigation, according to the National Privacy Commission.
“One large exfiltration occurred on the evening of 23 March 2016, by a computer with a registered IP address of 18.104.22.168,” the NPC said in its report on the hacking of the databases maintained by the Commission on Elections in March last year, an incident now known as “Comeleak.”
“[The NPC] later learned that this IP address was assigned to the National Bureau of Investigation from 13 October 2015, or six months prior to the exfiltration,” the NPC said.
NBI spokesperson Ferdinand Lavin, concurrent deputy director for Forensic and Scientific Research Services, said the agency could not make an official comment until after they confer with their computer crimes division.
But information technology expert Pierre Tito Galla, co-founder of the advocacy group Democracy.Net.PH, was alarmed that the computer network of the country’s premier criminal investigation agency was used in a crime.
“If it was someone from the NBI who exfiltrated the file, that means a member of one of our law enforcement agencies committed a crime,” Galla told the Manila Standard.
“It is important for the NBI to explain. In fact, I would say that the NBI has the responsibility to explain the fact that the Comelec breach was exploited by unknown person or persons using the NBI network,” he added.
He also called on the Department of Justice to investigate the Comeleak and detertmine the NBI’s possible involvement.
“I agree 100 percent with the NPC that the DoJ should investigate that,” Galla said. “The DoJ must institute measures that NBI personnel must not commit illegal access and other cybercrimes.”
Galla likewise scored Comelec Chairman Andres Bautista who have claimed “the poll body had been following accepted standards and international best practices in its technology-related activities and services,” even before the hacking of the Comelec website.
In fact, university professor Danilo Arao, a convenor of the poll watch group Kontra Daya, the Comeleak incident was sufficient ground to impeach Bautista, whom the NPC held accountable for his supposed mismanagement of the personal data of millions of Filipinos.
“If proven guilty, this could be a ground for Bautista’s impeachment, especially considering that the leak was initially reported by TrendMicro on April 6 and the Comelec at that time failed to disclose the extent of the breach,” Arao said in a statement.
“The officials’ past apologies for what happened are not enough as they should all be accountable for the damage they have done.”
On Thursday, the NPC found the Comelec liable for violating the Data Privacy Act of 2012 and recommended the criminal prosecution of Bautista for “the worst recorded breach on a government-held personal database in the world” last March.
The commission underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
Bautista, however, denied committing any wrongdoing for what has since been called the “Comeleak” that occurred between March 20 and 27 last year and argued that the NPC’s allegations were based on a “misappreciation” of several facts, legal points, and material contexts.
The group said that Bautista’s apparent neglect enabled hackers to gain access to the private information of millions of registered voters.
“The dereliction of duty is even more magnified by the fact that the Comelec website itself was defaced on March 27, thus putting into question the integrity and security of the commission’s information technology apparatus,” Arao added.