Privacy body summons Comelec 3rd party provider in 'hacking' probe

The National Privacy Commission has summoned the Commission on Elections’ “third-party” provider in its ongoing investigation into the alleged hacking of the poll body’s data servers.

In a statement, the NPC said it ordered the Comelec's third-party provider, which is possibly involved in the issue, to appear in a clarificatory hearing before the Privacy body.

However, the NPC refused to identify the third-party provider to avoid premature disclosure of any information as the issue is still under clarificatory probe.

NPC's statement came after the Department of Information and Communications Technology (DICT) said that its “preliminary findings suggest that a hack was not possible due to the Vote-Counting Machine (VCM) system being offline and the lack of existing data on the Automated Election System (AES) that could be breached.” 

The DICT and NPC are conducting probes based on the January 10 published report by the Manila Bulletin that indicated hackers allegedly gained access to the Comelec’s servers and allegedly stole crucial files including usernames and personal identification numbers of vote-counting machines (VCMs).

Manila Bulletin's tech news team reported that 60 gigabytes of data was illegally acquired from the servers.

According to the NPC, it is also pursuing leads regarding this issue, “including a group of hackers claiming responsibility for the hack, especially on matters involving personal data.”

“Rest assured we are continuing the investigation to determine if personal data was compromised, violations of the Data Privacy Act were committed, and the responsible individual or group for this incident,” said Privacy Commissioner John Henry Naga.

Moreover, the Privacy body said that it conducted separate clarificatory meetings on January 25, 2022 with representatives from the Comelec and Manila Bulletin regarding the alleged hacking and data breach involving Comelec servers.

It said that the Comelec has continued to deny that the database of overseas voters was compromised and clarified that a list of overseas voters is made publicly available on their website as mandated by law.

When asked to confirm if some of the artifacts came from their servers, Comelec reiterated that it cannot be so since those were not yet generated for the 2022 elections, according to the NPC.

On the topic of their full incident report, the poll body sought for extension of time to submit the approved report, the NPC added.

The Comelec is directed to submit the full incident report on or before January 27, 2022.

Also, It is ordered to submit additional documents discussed during the clarificatory meeting, according to the NPC.

“In a separate clarificatory meeting, Mr. Art Samaniego, Jr. and Manila Bulletin confirmed that the artifacts gathered by the NPC are the same artifacts that were the basis of their published report,” the Privacy body said.

“NPC required Mr. Samaniego and Manila Bulletin to provide additional artifacts for analysis and comparison with the artifacts collected by NPC’s Complaints and Investigation Division,” it added.

The artifacts were submitted to the NPC on January 26, 2022, the Privacy body said.

Further, it said that the separate meetings were attended by Executive Director Bartolome Sinoruz Jr., Director James Jimenez, and Director Jeanni Flororita from Comelec; and Herminio Coloma Jr., General Reynaldo Rafal, and Art Samaniego Jr. from the Manila Bulletin. —LBG, GMA News