WAS the infamous “COMELeak” hacking incident preventable?
Before answering that question, let me share first the stance of the National Privacy Commission (NPC) regarding COMELeak. The NPC announced in a press conference last week that it found the Commission on Elections (COMELEC) liable in LC Case No. 16-001 for violations of Sections 11, 20, 21, 22 and 26 of RA 10173. Chairman Andres Bautista, two commissioners, and five directors were found to be liable for the “COMELeak” incident, or the data breach of 76,678,750voters’ personal information (e.g., gender, date of birth, mailing address, taxpayer ID number, email address, etc.). The case is now with the Department of Justice for prosecution.
At the press conference, NPC Chairman Raymund Liboro said: “Kailangan ang pag-iingat dito, prevention and mitigation, yuon ang dinidiin ng batas na ito. Kaya nga ito, pinaparusahan ditto hindi lang yung may ginawa, kundi yung hindi gumawa. Kasi yun ang essensiya ng batas, proteksiyonan ang personal information ng ating mga mamamayan.” (The law underscores the need to protect personal information through prevention and mitigation. That’s why we are punishing both those who committed something and those who did not do something. Because this is the essence of the law, protect the personal information of our citizenry.) It should be noted that the risk of exposing hacked private data to the public may be used in the future for identity theft or for any other criminal purposes.
The NPC also noticed that after the COMELeak incident on March 20 to 27, 2016, the COMELEC failed to immediately inform them of the breach. According to the NPC, such negligence is a criminal offense under the Data Privacy Act. Bautista, in his reaction to the NPC decision, said that when the COMELeak happened in March 2016, there were no implementing rules and regulations (IRR) to guide them in complying with the Data Privacy Act. I’m just wondering if Chairman Bautista said that because he may have remembered that AES Watch had been repeatedly telling him to promulgate the IRR of the Automated Election System Law, or RA 9369. After 20 years, and even under his leadership, AES Watch has not seen any draft of the IRR. The COMELEC could be getting a taste of its own medicine.
Another argument of Chairman Bautista is that the focus should be on arresting the perpetrators of hacking and not to punish those who are hacked. He must have missed the essence of the Data Privacy Act in this regard. The arresting of hackers has been going on for more than a decade now. In fact, the National Bureau of Investigation and the Philippine National Police have been helping in tracking down suspected hackers. For the organizations that were victimized, it is easy to understand that their databases were compromised because their computerized information systems were vulnerable to hacking, as simple as that. Hence, RA 10173 mandates that organizations ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. The NPC found that the COMELEC’s databases are not secured and they have the evidence to prove it.
Now, let’s answer the question clearly: Was the infamous “COMELeak” hacking incident preventable? Yes, it is preventable and controllable. Let me trace the COMELEC’s agency plan more than a decade ago and how it made the COMELeak inevitable.
Information security is not a new thing at the COMELEC from the time it started implementing the Automated Election System (AES) in 2003. The COMELEC was trained by information security professionals and private companies on how to implement the information security management system (ISMS) based on the framework of ISO 17799 or its updated version ISO 27000. Even the leading telco company trained COMELEC on how to secure data in transit by using digital signatures then. But despite all these efforts during the time of former Comelec Commissioner Rex Borra, COMELEC officials did not even bother to apply in the last three elections what they had learned about ISMS.
For not adopting the ISMS at the COMELEC, our 2010, 2013 and 2016 elections were adversely affected. The COMELeak was the most infamous critical incident. Even the NPC cited the COMELeak as the globally recognized worst recorded breach in government-held personal database. Other major incidents related to information security breaches include the unauthorized changing of characters from “?” to “ñ” in the transparency server at the height of canvassing on the night of May 9, 2016; the unexplained 60-30-10 phenomenon in 2013; the wrong senatorial vote count in 2013; and the staggering number of 256 million registered voters in the national canvassing server in 2010 when in fact there were only 50 million at that time.
Even if the COMELEC did not adopt ISMS, it was indicated in the terms of reference for the 2010 bidding of counting machines that the supplier should be a certified ISO 27000 company. The winning bidder, Smartmatic, was not! The COMELEC tried to cover up that it was practicing ISMS.
(To be continued)