Stolen Comelec data 'ripe for identity theft'

Alexander Villafania, ABS-CBN News

If criminals can get their hands on the stolen voters’ data from the Commission on Elections (Comelec), it is not just an issue of stalking but a long-term problem of identity theft. 

In the latest development on the defacement of the Comelec website and subsequent theft of voter’s data, the group that allegedly carried out the attack put up a website that made the data easily viewable. 

While the stolen data was already made available for download via online torrent services just days after, creating an online portal made it easier for ordinary web users to look into individual personal data. 

READ: Data breach: Website uploads voter info, Comelec downplays leak

The website, allegedly put up by notorious hacker group LulzSec Philippines, contained large portions of personal information from the stolen data, such as birth dates, emails, and home addresses. Such data can be used for anything from gaining access to personal email or social media accounts as well as for more sophisticated attacks. 

[“Comelec hacking threatens security of voters: Trend Micro”]

In an interview with ABS-CBN, Albert Dela Cruz, director of the Philippine Computer Emergency Response Team (PH-CERT) said that gaining access to the personal data of voters can be used as an entry vector for identity theft, adding that it is "ripe for identity theft."

“Mixed with some social engineering and phishing it could be anything… [including stealing] bank accounts,” Dela Cruz said. 

Phishing is a technique used by criminals to trick people into giving away more confidential data, such as bank account details. It can be done through email, private messages on social media, or mobile short messaging. 

With the stolen information, a criminal can pretend to be another person and conduct legal transactions. 

The stolen data gives phishers more advantage to conduct their modus and the allegedly 55 million in stolen voters’ data provide just enough of the basic information to provide entry. 

“Phishers can use the info they gathered, which is legit info. So if they are going to fool you via email phishing. You are more prone to believe them,” he said. 

While ordinary citizens are not immediate targets, high profile personalities are more vulnerable, primarily because they are “worth more,” according to Dela Cruz, who added that stolen information can no longer be “recovered” in a sense. 

“That’s the very sad part of stolen personal information. Once someone has it, it’s there for good,” he said. 

The security expert also blasted Comelec for failing to implement protective measures and best practices against such attacks. 

“There's a lot of security best practices and standards that the government can use to guide them on what systems and policies to put up to create the secure environment…. And conducted vulnerability assessment prior to launching any service,” Dela Cruz said. 

In an interview with DZMM this afternoon, Atty. Jose Jesus Disini, technology law expert from the University of the Philippines College of Law, said that the alleged site where the stolen data was uploaded should be taken down. 

“In the US, something similar happened but the data was not made available to the public and the US government was able to stop it from going online,” Disini said. 

Like what Dela Cruz said, Disini laments that with the information already made available online, it would be difficult to know what the next move should be for a person whose data is compromised. 

“Unless you’re changing your name, or moving out of your house…. With your data, someone can pretend to be you and use your information for their own gain,” Disini said. 

KNOW THE WHOLE STORY