MANILA – Commission on Elections (Comelec) Chair Andres Bautista on Thursday decried the decision of the National Privacy Commission to recommend criminal charges against him for the data breach that saw personal data of 1.3 million overseas Filipino voters, including their passport information, as well as fingerprints of 15.8 million people leaked on the internet.
Bautista argued that hacking is not a new phenomenon and many companies and government agencies here and abroad are confronted by cyber attacks despite putting security measures in place.
“Given the foregoing, should the focus not be on apprehending the hackers in of punishing the hacked?” Bautista said in a statement.
In its decision dated December 28, 2016, the NPC said it found the Comelec guilty of several violations of the Data Privacy Act of 2012 for the data leak that occurred between 20 and 27 of March last year.
NPC said Comelec violated Sections 11, 20, 21,22 and 26 of the Data Privacy Act concerning security of personal information, accountability, and accessing of personal information and sensitive personal information, with penalties of 1-3 years jail time and fines of up to P500,000.
Bautista said, even before the hacking of the Comelec website, the poll body had been following accepted standards and international best practices in its technology-related activities and services.
In the wake of the hacking incident, the Comelec still managed to “respond to the security breach and identify, locate, and arrest the perpetrators” despite being in the thick of preparation for the May 2016 elections.
Bautista said Comelec even created a task force focused on looking into the website breach, designation of Comelec resource person to the NPC, and giving orders to the Comelec’s executive director to comply with the reportorial requirements of the Data Privacy Act.
“Additionally, and going beyond what was instructed by the NPC, the Comelec en banc approved the establishment and maintenance of a voter Care Center. This is currently operational. To date, we have not received any call or inquiry related to the website breach,” Bautista said.
Bautista also said he was surprised to receive the NPC decision on December 29, the same day the Comelec submitted its compliance report to the commission stating that the poll body was able to comply with all of NPC’s instructions.
WHY BLAME ONLY ME?
Bautista lamented that the NPC decision “conveniently” pinned him as having the sole responsibility for the data breach, noting that data privacy and security were matters that the poll body’s members asked IT experts to take charge of.
“Unlike the NPC which is run by IT practitioners, the Comelec En Banc is currently managed by seven lawyers. Hence, we rely on our IT Department for expert advice on website/data security and privacy and IT-related matters,” Bautista said.
He emphasized that as even as chairman, he is "not the collector, processor, and custodian of the database."
"As the Head of Agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts,” said Bautista.
A group claiming to be Anonymous Philippines earlier defaced the Comelec's website, demanding that the poll body implement the security features of the vote-counting machines for the May 9, 2016 elections.
Meanwhile, another group, LulzSec, said it leaked online 340 gigabytes of the Comelec database.
The hackers failed to access any confidential information that may derail the 2016 elections, although details from "passports of certain overseas Filipino voters" were leaked, said Bautista.
At least two suspects have been arrested by the National Bureau of Information for the Comelec data breach.