The National Privacy Commission's findings on 'Comeleak' data breachPosted by Timothy James Dimacali on Wednesday, January 4, 2017
The National Privacy Commission (NPC) on Thursday recommended the filing of criminal charges against Comelec chairman Andres Bautista and the poll body for the theft of millions of voters' personal records in 2016.
Since dubbed "Comeleak," the cybersecurity breach is one of the biggest data heists in history that saw the theft of as many as 55 million personal records from the Comelec website, according to early estimates.
80M records hit but no efect on election
However, the exhaustive NPC investigation revealed that the number was closer to 80 million:
- 75,302,683 records comprising the Precinct Finder web application voter database
- 1,376,067 records comprising the Post Finder web application voter database
- 139,301 records comprising the iRehistro registration database
- 896,992 personal data records comprising the firearms ban database
- 20,485 records of firearm serial numbers, also from the firearms ban database
- 1,267 records comprising the Comelec personnel database
NPC commissioner Raymundo Liboro assured the public that the data breach did not affect the results of the national election. However, he underscored the gravity of the heist and the long-held need for stricter data privacy measures in the country.
"This is the largest security breach ever of a government institution anywhere in the world," Liboro lamented.
Violation of 2013 Data Privacy Act
In its 35-page decision, the NPC found the Comelec itself to have been in violation of Sections 11, 20, and 21 of Republic Act No. 10173 or the Data Privacy Act of 2012.
Comelec chairman Andres Bautista was also found to have violated the same sections, as well as Section 22 in relation to Section 26 of the same Act.
"We are not saying he is guilty, but we have substantial evidence, hence the recommendation to file charges (against Bautista). The evidence was sufficient to recommend prosecution," said NPC deputy commissioner Atty. Ivy Patdu.
The NPC criticized Bautista for his "lack of appreciation" for the need for stringent cybersecurity measures.
"Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC's privacy and security policies and practices," the decision read.
'Comelec was negligent'
Patdu explained that the Comelec had no security measures in place, so it was only a matter of time before any data on the agency's site was stolen.
She also said that the agency should have implemented stringent end-to-end security beginning from the point of data collection, and not just on the website.
The responsibility for this falls squarely on the Comelec and its leadership, according to Patdu.
"It was a failure of duty required by law. It's tantamount to negligence," she said.
Patdu also lamented the irreversible damage caused by the hack.
"Our data is out there. The danger is there, even if it's not immediately apparent right now. It can be felt years from now. (That's why) we should urge government to take data protection seriously," Patdu said, warning that the data could be used for malicious purposes at any time.
The decision caps a months-long investigation into the crime.
'Misappreciation' of facts
Reached for his comments, Bautista said the NPC findings were based on "misappreciation" of facts.
"With all due respect to the NPC membership, we believe that the NPC decision was based on misappreciation of several facts, legal points, and material contexts," Bautista said.
He also defended himself after the NPC "conveniently points to the Head of Agency as solely responsible for the data breach."
Bautista said the Comelec en banc, "currently managed by seven lawyers," including himself, "(relies) on our IT Department for expert advice on website/data security and privacy and IT-related matters."
History of Comeleak heist
On March 27, 2016, a group of hackers gained access to the Comelec website and defaced the agency's page. A second group took advantage of the same vulnerability and managed to steal the agency's voter database, which happened to be accessible from the site.
The database was made public, exposing the personal information of millions of Filipino voters to identity thieves and other hackers.
Fear quickly spread that the information could be used to rig the looming presidential elections. The Comelec initially downplayed the gravity of the breach, but the Bangko Sentral ng Pilipinas issued a memorandum warning all banks to be wary of attempts at identity theft.
Within a month, the National Bureau of Investigation's Cybercrime Division arrested two suspected hackers who were allegedly directly involved in the breach.
In August, Bautista said that the poll body had committed to working closely with the NPC and the DOST to ensure the future security of Comelec data. — RSJ/GMA News