55M at risk in ‘Comeleak’
Voters’ personal information disclosed in a massive leak from a database of the Commission on Elections (Comelec) earlier this month could be used in crime, including electoral fraud, an Internet security company and an election watchdog said Friday.
The Comelec said, however, that the hacking of its voter database will not compromise the May 9 national elections.
Comelec spokesperson James Jimenez said the automated elections would be run on a different server, not on the one that was hacked, and that experts say the polls are unlikely to be compromised.
A hacker group defaced the Comelec’s website last month, and on April 6 a second hacker group posted the entire database online, with mirror links where the data could also be downloaded, according to a research by Internet security company Trend Micro, which first reported the breach.
The leaked data include names, birthdays, home addresses, e-mail, parent’s full names and in some cases passport details and text markers of fingerprints of more than 55 million registered voters.
Jimenez said the leaked data that were uploaded online were not fingerprints but text markers that cannot recreate the fingerprints.
According to the Comelec, there are 54.3 million registered voters in the country and 1.3 million overseas.
Tokyo-based Trend Micro said that with the breach, “every registered voter in the Philippines is now susceptible to fraud and other risks.
“With 55 million registered voters in the Philippines, this leak may turn out as one of the biggest government-related data breaches in history,” Trend Micro said.
According to Danny Arao, one of the organizers of the election watchdog Kontra Daya, flying voters could use the leaked data.
“Flying voters still exist. There is a possibility that some people might steal the identity of those who do not vote anymore or people who may have already died,” Arao told reporters.
“Even if there are pictures of the voters, the more enterprising flying voters will just make an effort to look like the persons in the pictures to cheat,” he added.
Taking a preemptive stance, the ruling Liberal Party (LP), whose presidential candidate, Mar Roxas, is trailing in the polls, appealed to the public not to point to it as the one behind the cyberattack on the Comelec.
“We are also alarmed at the leak of the information of millions of registered voters, and we are one of those who are calling for an investigation,” LP coalition spokesperson Barry Gutierrez said.
Arao said Kontra Daya was consulting its lawyers to see if it could bring a case against the Comelec.
“We’re looking at the possibility of filing [charges against the Comelec for violation of the Data Privacy Act],” he said.
In a statement, Kontra Daya said the leaked data could also be used for “targeted intimidation of voters, vote-buying and harassment.”
Despite an assurance from the Comelec, Kontra Daya said the leak could affect the integrity of next month’s elections.
The group said the leak exposed more than 55 million registered voters to identity theft.
Jimenez on Thursday acknowledged the possibility of identity theft, and advised the public not to use the hacked Comelec website.
“It can be used by the hackers to steal your information and thus expose you even further to the dangers of identity theft. We also cannot rule out at this stage that this may be an attempt by the hackers to monetize the data they claim to have,” Jimenez said.
On Friday, Jimenez said the United States helped the Philippines in taking down the website containing the voters’ data.
He said the website was taken down Friday morning.
According to Jimenez, the US justice department was contacted for help in taking down the website. The cybercrime office of the Philippine Department of Justice (DOJ) coordinated with organizations overseas to contain the data leak.
Jimenez explained that the Philippines needed help from the US justice department because the hackers’ website involved international companies.
He said the website was hosted in Russia, but the government was able to reach the hosting company and had it take the site offline with help from US authorities.
The government is tracking down and deleting copies of the data online, Jimenez said.
“We’re already taking down various sites that claim they have a copy of the data, even if we’ve not yet verified 100 percent that it’s really Comelec data,” he said.
Jimenez said the Comelec was investigating how the leak happened and who were responsible.
“Whether these people include Comelec employees, we will find out in due time. Internally, the Comelec is also looking at how it happened. We’re looking at possible negligence, weaknesses that could have been avoided,” he said.
National Bureau of Investigation agents late Wednesday arrested a 23-year-old suspect, Paul Biteng, a new graduate of information technology, in his home in Manila.
NBI officials said they were hunting down Biteng’s alleged accomplices, believed to be members of the hacker group Anonymous Philippines.
Malacañang on Friday condemned the cyberattack on the Comelec and vowed to prosecute the perpetrators.
Presidential Communications Secretary Herminio Coloma Jr. said government agencies, including the Department of Science and Technology, are closely coordinating with the Comelec “to further strengthen its security protocols.”
“Although verifications that have been made thus far have shown that the integrity of the automated election system has not been affected by the latest cyberattack, we share the public’s concern on the ill-effects of this act,” Coloma said.
“[The] government is determined to ensure that similar acts will not be repeated in the future and that the perpetrators will be prosecuted,” he said.
Bangladesh bank heist
The latest hacking scandal came amid an investigation into the cybertheft in February of $101 million from the Bangladesh central bank’s account in the Federal Reserve Bank of New York, and the money’s transfer to the Philippines and Sri Lanka.
A Philippine Senate inquiry has shown that $81 million was diverted to accounts created with fictitious names at a branch of Rizal Commercial Banking Corp., consolidated and then shifted to casinos and junket operators through a local remittance company.
The Philippine National Police Anti-Cybercrime Group (PNP-ACG) yesterday said it had coordinated with the banking industry to protect customers after the Comelec leak.
Senior Supt. Guillermo Eleazar, PNP-ACG chief, said the leaked data included basic information that could be used for banking transactions.
He advised voters to change their passwords and security questions for banking and online accounts to ensure privacy.
“Cyberspace has always been an open [space] so all users need to make an effort to secure themselves,” he said.
JJ Disini, a legal expert in information technology, said the biggest threat from the 300-gb Comelec leak was identity theft.
“This is almost every adult in the country. Because these are registered voters . . . everybody who has the ability to enter into a contract, open a bank account, get a credit card,” Disini said by phone.
Disini, a law professor at the University of the Philippines, said companies should take extra precautions in verifying the identities of their clients.
“This is worrisome. Something might happen in the future. For example, people might doubt who you are, challenge your identity if you apply,” he said.
“Perhaps it makes it harder now to borrow money (from the banks) because it’s easier to impersonate,” he said.
Registered voters also face other risks, including credit card fraud and false identification cards, he said. With reports from DJ Yap, Nikko Dizon, Jaymee T. Gamil, Tarra Quismundo and AP
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.