Last March 17, 2016, the Commission on Elections (COMELEC) was the subject of a number of cyberattacks; one attack resulted in the defacement of the official website, another resulted in the compromise of a public-facing database.
On Thursday, April 21, 2016, unknown persons put up a publicly-accessible website containing the data of the compromised database, for purposes as yet unknown.
Whatever their purposes, you are not safe.
You may be at risk of the compromise of personal financial information, privacy, and identity theft. You may be vulnerable to online and offline social engineering attacks and other cyberattack modes.
How to Protect Yourself
• Evaluate, through access of the website USING A PROTECTED NETWORK AND A PROTECTED COMPUTER (your firewalls and antivirus software should be properly updated), the degree of compromise by the publication of the database information.
• Knowing what are at risk, take immediate steps to strengthen online accounts:
- Immediately increase privacy and security levels for email accounts, banking and financial portals, social network accounts and other user interfaces. Wherever possible, enable 2-factor authentication (2FA) for your accounts.
- Immediately change all security questions and all answers to security questions to information that cannot be guessed from the compromised database.
For example, change all “what is your mother’s maiden name” or “what is the name of the street you used to live in” to other security questions.
For better account security, ensure the use of synonyms and alphanumeric combinations for answers; for instance, an answer “baguio” is better typed “bagu10",” or even better, “B@gu!0”.
For even better account security, use misdirective or erroneous answers that are not difficult to remember; for instance, if you use the question “what was the name of your first pet?” use the name of a former boss or teacher.
- When possible, and through the use of the telephone, make arrangements for your banks and similar institutions to contact you prior to any transaction being allowed to go through, or to have a means of allowing you to authenticate your transaction.
- Take steps to ensure the security of personal information may be the subject of identity theft:
As soon as practicable, secure your authenticated NSO birth certificate and other identity certificates, and renew your NBI clearance to have basic identity information in case of a challenge due to identity theft attacks.
If possible, renew identity cards (e.g., PRC and other IDs), passports, and licenses, as these are the documents typically compromised by identity theft attacks.
Instruct your local Human Resources representative or equivalent to be strict in the non-disclosure of your personal information without formal request and without your permission.
- Protect yourself from social engineering attacks:
Do not open, share, or forward suspicious emails, or click suspicious links. Protect your computers with updated antivirus and firewall software.
Do not share your personal information unless you absolutely trust the recipient.
Share your cybersecurity practices with your family and friends; the weakest link in a social network is the one person who did not protect himself or herself.
You can minimize the threat of attacks on you through common sense and due diligence. That said, in the event of a personal data privacy attack, social engineering attack, or cyberattack, contact the National Bureau of Investigation (NBI) Office of Cybercrime, the Philippine National Police Anti-Cybercrime Group (ACG), and the Privacy Commission as soon you detect an attack.
Democracy.Net.PH are the drafters and supporters of the #MCPIF, a crowdsourced document by netizens committed to espousing internet freedom in the Philippines.