Comelec takes steps vs. possible voter data breach

The Commission on Elections (Comelec) on Monday said it has already undertaken several security measures to prevent another breach of personal information of registered voters.

This, after the reported robbery of a desktop computer in Wao, Lanao del Sur, last month containing the biometrics data of the town voters and the demographics data of all registered voters in the country.

"Ang ating robbery incident is currently being investigated by the Wao Philippine National Police," Comelec Executive Director Jose Tolentino Jr. said in a press briefing at the Department of Information and Communications Technology (DICT) office in Quezon City.

On January 11, unidentified people broke into the Office of Election Officer in Wao, Lanao del Sur and stole the desktop computer containing the Voter Registration System (VRS), an application used to encode demographic data and capture biometric data of applicant voters.

Also found in the computer were the National List of Registered Voters (NLRV), which contains demographic data of all registered voters in the country, and the Voter Search system, which uses the NLRV to determine if the applicant has already registered.

The VRS contains the detailed personal information of a total of 58,364 registered voters of Wao, Lanao del Sur, of which 40,991 are for registered voters for the upcoming barangay elections as of October 19, 2016 while 17,373 are for the Sangguniang Kabataan elections as of September 13, 2016.

Meanwhile, the NLRV contains only the demographic data of approximately 75 million registered voters in the country as of October 17, 2016, 55 million of which are active and 20 million are deactivated.

The NLRV does not contain the biometrics data of the national registered voters.

While the incident happened on January 11, it was only reported to the National Privacy Commission (NPC) more than two weeks later on January 28.

"It took Comelec more than two weeks to submit a report kasi ang mindset ng Comelec is on the operational aspect of the registration," Tolentino said.

"That's why the first thing that we did after we found out na ninakaw 'yung computer is to ensure that another computer will be available for Wao para hindi maantala ang registration process," he added.

Tolentino, however, noted the data from the VRS and NLRV were encrypted with AES-256 encryption.

According to DICT Assistant Secretary for CyberSecurity and Enabling Technology Allan Cabanlong, the AES-256 encryption is "one of the top" encryption systems.

"Technically, hindi mo talaga mab-break 'yung AES-256 kapag wala kang susi," Cabanlong told reporters.

Security measures

However, to prevent any possible breach, the NPC, in a Compliance Order dated February 13, instructed COMELEC to erase all copies of the NLRV in its computers nationwide, following the recommendation of its investigating team.

"Naglabas po kami mula sa rekomendasyon ng aming investigating team at 'yan po ay pinadala namin agad sa Commission on Election," Privacy Commissioner Raymund Liboro said.

NPC has also directed COMELEC to inform all data subjects affected by the possible data breach within two weeks.

The poll body was also tasked to individually notify Wao registered voters with records in the VRS about the incident.

Comeleak

"This is already Comelec's second large-scale data breach in a span of less than a year," Liboro said. "[NPC] is very concerned especially since there's ongoing voter registration nationwide."

"Kailangan lang natin paspasan itong mga ganitong bagay kasi nga nauunahan tayo ng mga ganitong klaseng pangyayari," Liboro added.

In March last year, a group of hackers gained access to and defaced the Comelec website. A second group took advantage of the this vulnerability and managed to steal the agency's voter database.

The database was made public and exposed the personal information of millions of registered voters. It has since been known as the "Comeleak."

For its part, Comelec has issued a memorandum dated January 23 recommending the installation of CCTV cameras in all field offices.

A memorandum was also issued by the poll body dated February 1 to all its Regional Election Directors prescribing interim security measures and controls that will secure and prevent loss and unauthorized access of data.

The poll body is also seeking approval of Commission En Banc on February 14 regarding the revisions on the VRS and NLRV.

Such is the limiting of the number of personal data the NLRV database, the mandatory change of password on a quarterly basis, and the limiting of the use of the NLRV in the local field offices to 81 Provincial Election Supervisors instead of 1,656.

"Para sa akin, the data breach has not yet been confirmed. In fact, such breach is quite remote because all the data is encrypted," Tolentino said.

"Nevertheless, we shall abide by Compliance Order issued by the NPC to notify the subjects concerned," he added. —KBK, GMA News