• ‘COMELeak’: Telltale sign of poor governance



    WAS the infamous “COMELeak” hacking incident preventable?

    Before answering that question, let me share first the stance of the National Privacy Commission (NPC) regarding COMELeak. The NPC announced in a press conference last week that it found the Commission on Elections (COMELEC) liable in LC Case No. 16-001 for violations of Sections 11, 20, 21, 22 and 26 of RA 10173. Chairman Andres Bautista, two commissioners, and five directors were found to be liable for the “COMELeak” incident, or the data breach of 76,678,750voters’ personal information (e.g., gender, date of birth, mailing address, taxpayer ID number, email address, etc.). The case is now with the Department of Justice for prosecution.

    At the press conference, NPC Chairman Raymund Liboro said: “Kailangan ang pag-iingat dito, prevention and mitigation, yuon ang dinidiin ng batas na ito. Kaya nga ito, pinaparusahan ditto hindi lang yung may ginawa, kundi yung hindi gumawa. Kasi yun ang essensiya ng batas, proteksiyonan ang personal information ng ating mga mamamayan.” (The law underscores the need to protect personal information through prevention and mitigation. That’s why we are punishing both those who committed something and those who did not do something. Because this is the essence of the law, protect the personal information of our citizenry.) It should be noted that the risk of exposing hacked private data to the public may be used in the future for identity theft or for any other criminal purposes.

    The NPC also noticed that after the COMELeak incident on March 20 to 27, 2016, the COMELEC failed to immediately inform them of the breach. According to the NPC, such negligence is a criminal offense under the Data Privacy Act. Bautista, in his reaction to the NPC decision, said that when the COMELeak happened in March 2016, there were no implementing rules and regulations (IRR) to guide them in complying with the Data Privacy Act. I’m just wondering if Chairman Bautista said that because he may have remembered that AES Watch had been repeatedly telling him to promulgate the IRR of the Automated Election System Law, or RA 9369. After 20 years, and even under his leadership, AES Watch has not seen any draft of the IRR. The COMELEC could be getting a taste of its own medicine.

    Another argument of Chairman Bautista is that the focus should be on arresting the perpetrators of hacking and not to punish those who are hacked. He must have missed the essence of the Data Privacy Act in this regard. The arresting of hackers has been going on for more than a decade now. In fact, the National Bureau of Investigation and the Philippine National Police have been helping in tracking down suspected hackers. For the organizations that were victimized, it is easy to understand that their databases were compromised because their computerized information systems were vulnerable to hacking, as simple as that. Hence, RA 10173 mandates that organizations ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. The NPC found that the COMELEC’s databases are not secured and they have the evidence to prove it.

    Now, let’s answer the question clearly: Was the infamous “COMELeak” hacking incident preventable? Yes, it is preventable and controllable. Let me trace the COMELEC’s agency plan more than a decade ago and how it made the COMELeak inevitable.

    Information security is not a new thing at the COMELEC from the time it started implementing the Automated Election System (AES) in 2003. The COMELEC was trained by information security professionals and private companies on how to implement the information security management system (ISMS) based on the framework of ISO 17799 or its updated version ISO 27000. Even the leading telco company trained COMELEC on how to secure data in transit by using digital signatures then. But despite all these efforts during the time of former Comelec Commissioner Rex Borra, COMELEC officials did not even bother to apply in the last three elections what they had learned about ISMS.

    For not adopting the ISMS at the COMELEC, our 2010, 2013 and 2016 elections were adversely affected. The COMELeak was the most infamous critical incident. Even the NPC cited the COMELeak as the globally recognized worst recorded breach in government-held personal database. Other major incidents related to information security breaches include the unauthorized changing of characters from “?” to “ñ” in the transparency server at the height of canvassing on the night of May 9, 2016; the unexplained 60-30-10 phenomenon in 2013; the wrong senatorial vote count in 2013; and the staggering number of 256 million registered voters in the national canvassing server in 2010 when in fact there were only 50 million at that time.

    Even if the COMELEC did not adopt ISMS, it was indicated in the terms of reference for the 2010 bidding of counting machines that the supplier should be a certified ISO 27000 company. The winning bidder, Smartmatic, was not! The COMELEC tried to cover up that it was practicing ISMS.

    (To be continued)


    Please follow our commenting guidelines.


    1. If Bautista is saying that there’s no RA 10173 IRR and therefore no basis for them to comply with it, that means our past 3 elections had no basis to implement the AES Law or RA 9369 as there’s no IRR! Pls clarify Bautista as you made us confused!

    2. What bothers me is the admission of a Comelec official that their website was not well-protected from hackers. And charman Bautista said that the commissioners are all lawyers and not IT specialists. Then why did they push thru with the AES in the 1st place, if they were not ready to handle an undertaking that requires IT know-how? This is what happens when we have too many lawyers in the government.

    3. Leodegardo M. Pruna on

      Whether Chairman Bautista likes it or not, he is guilty of gross negligence and therefore liable for the irregularities or misdemeanor done in the last electoral process. The fact that Smartmatic is not an ISO accredited outfit is a grievous sin and more so trying to protect it probably because od change hands of big dough. And, if we trace back the beginning of this, it stops on the YELLOWS with big P-Noy’s name. God save the Philippines.

    4. 1. the COMEleak was all over the news at that time. what did the National Privacy Commission do?

      2. why only now file a case. did it take almost a year for the NPC to investigate this?

      3. the hackers were apprehended sometime april 2016. any updates on this? any cases filed. from the looks of it by way of news articles, the government has a very strong case. i would think the hackers should now be in jail.

    5. The litany of unpunished sordid electoral events have finally caught up with Comelec. They thought their impunity against clean elections will last forever. Serves them well !