Comelec risks lawsuit over data breach

Pia Gutierrez, ABS-CBN News

MANILA - Activist groups picketed the Commission on Elections (Comelec) on Friday morning to express indignation over the massive data leak of personal information of registered voters in the Philippines.

This is after a website which made the Comelec voter database searchable to users went live yesterday, triggering widespread fear and anger.

The website, allegedly put up by hacker group LulzSec Philippines, contained large portions of personal information from the stolen data, such as birth dates, emails, and home addresses. Such data can be used for anything, from gaining access to personal email or social media accounts as well as for more sophisticated attacks.

Activists said Comelec officials should be held accountable for the leak.

"Kailangang i-hold into account ang Commission on Elections sapagkat tayo ay nagrehistro sa Comelec. We operated on the basis of trust and that trust has been broken," Kontra Daya Convenor Prof. Danny Arao told members of the media.

READ: Data leak of voter info shocks IT experts

Arao said the group is now studying the possibility of suing Comelec officials for violation of the Data Privacy Act.

The group expressed fears that the massive leak of voter information may be used for cheating in the May 9 polls.

"There is a possibility that it can be used for cheating especially in a situation that flying voters are still happening. People might steal the identities of people who are not voting anymore, there is that possibility," Arao said.

READ: 'Comelec data leak like giving car keys to a thief'

He said the Comelec should assure the public that the seeming lack of security or vulnerability of the poll body's official website should not reflect on the Automated Election System, particularly the Election Management System or EMS.

"What we are looking at here is transparency in terms of End to End Testing not just of the VCM but also of canvassing and transparency servers. We want to make sure that the server will really count what has been transmitted," he said.

"But the gravity of the situation goes beyond the May 9 elections because we are talking here of identity theft, harassment, intimidation," he added.

According to a tweet by Comelec spokesman James Jimenez, the website was taken down on Friday morning. This, after officials were able to contact web hosting company and the US Department of Justice (DOJ) last night.

READ: Comelec data leak: How to protect yourself


IT lawyer JJ Disini, lecturer at the UP College of Law, whose expertise is data privacy and security, urged the public not to share information about the site to avoid magnifying the harm to those whose names are there.

Disini also said hackers were able to get the encryption keys to unlock the data. The encryption keys were included in the data taken from the Comelec.

Disini likened the situation to a vehicle owner giving his car keys to a thief.

"It's like you stole my car and I gave you the keys with it. You stole data that is in the lockbox and somewhere in the stash that you got are the keys to open the box," he told ABS-CBN News Channel.

Meanwhile, data analyst Francis Gary Viray said it could be just a matter of time before all data in the Comelec database are fully decrypted.

He advised people to change the passwords and PIN numbers they use in applications that utilize personal information found in their Comelec profiles.

Viray also reminded people visiting the hackers' website that checking one's info there could be a ploy to validate a person's information, plant viruses or steal data stored in cookies on the user's browsers.