Comelec hacking threatens security of voters: Trend Micro

Jojo Malig, ABS-CBN News

1.3M passports, 15.8M fingerprints compromised in Comelec site hack, says security software firm.

MANILA - Personal data of 1.3 million overseas Filipino voters, including their passport information, as well as fingerprints of 15.8 million people were compromised in the hacking of the Commission on Election's (Comelec) website last March, according to a global security software company.

Trend Micro, in its analysis of the defacement and subsequent leak of the Comelec's entire database online, said the data dump "may turn out as the biggest government related data breach in history."

It said the attack left 55 million Philippine voters at risk, surpassing the U.S. Office of Personnel Management hack in 2015 that leaked personal data of 20 million US citizens.

"Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections," Trend Micro said.

It added that among the data leaked online by hackers were files on all candidates running in the election "with the filename VOTESOBTAINED."

"Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure," the security software company said. "The Comelec website also shows real time ballot count during the actual elections. While Comelec claims that this function will be done using a different website, we can only speculate if actual data will be placed here during the elections and if tampering with the data would affect the ballot count."

It warned that criminals can use the leaked personal information of Filipino voters for extortion and other illegal activities. "In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC [Business Email Compromise] schemes, blackmail or extortion, and much more."

COMELEC REACTION

Comelec spokesman James Jimenez told ABS-CBN News that the poll body is still checking Trend Micro's allegations.

"Considering technical nature of post, will have to check its allegations, its sources, and what it claims to have studied," Jimenez said. "Considering the technical nature of the blog entry, I won't comment until I've discussed the matter with our IT Department."

The Comelec earlier downplayed the hacking of its its website.

In an interview with dzMM, Comelec chairman Andres Bautista claimed that hackers failed to access any confidential information that may derail the 2016 elections.

"I was told wala naman daw confidential information na nakuha. Kumbaga, hindi naman ito makakaapekto sa aming paghahanda para sa ating darating na halalan," he said.

The Comelec also asked the National Bureau of Investigation (NBI) Cybercrime Division to identify the perpetrators of the hacking of the poll body's official website.

A group claiming to be Anonymous Philippines defaced the Comelec's website, demanding that the poll body implement the security features of the vote-counting machines for the May 9, 2016 elections.

Meanwhile, another group, LulzSec, said it leaked online 340 gigabytes of the Comelec database.

Trend Micro said the second hackers' group made the database available for download by the public on several websites.