“COMELEAK,” is the incident which involved the illegal copying of the database of the Commission on Elections (COMELEC) by the hacker group, LulSecPilipinas. Close to 55million voters’ registration information was disclosed without authority by the same hacker group about five weeks before the national and local elections of May 9, 2016. Personal voter’s information included names, birthdays, home and email addresses, among others. It also included voters’ biometrics (photo, fingerprint markers, and signature)data, passport details of overseas Filipino workers, and other sensitive data. Another group had provided an application on a website “Wehaveyourdata” that made it easier for curious internet users to check data in the illegally copied database.
The National Privacy Commission (NPC), an agency created under Republic Act 10173, or the Data Privacy Act, was just getting organized at the time of the Comeleak incident. The Comelec failed to immediately inform the NPC of the data breach which RA10173 mandates any organization to do. In its infancy, the NPC had to hit the ground running and conduct an investigation into the Comeleak.
In the weeks that followed, the National Bureau of Investigation was reported to have arrested a suspect who had allegedly owned up to the deed.
It has been nine months since the Comeleak incident and nothing has been heard from the COMELEC or the NPC.
What can we make of the Comeleak incident?
Data protection is a practice that predates the use of computers in the collection, storage, and processing of information. With internet technologies now available, there is a greater challenge for organizations to ensure the protection of the confidentiality, integrity and availability of information.
The Comeleak incident simply demonstrates that the poll body failed to secure the data it had collected in the process of registering voters.
Considering the database size of about 350 gigabytes and the country’s slow internet speed and bandwidth, the COMELEC failed to detect the database pilferage. It failed to detect the spikes in network traffic. The data pilferage did not happen only on the day LulzSecPilipinas announced its deed. It had been going on for weeks. It is, by far, the world’s largest government-related data breach incident.
What are the implications of the Comeleak incident?
There has been no report that voter registration data has been used in fraud or scams. There has been no report of identity theft or identity spoofing that could be traced to the Comeleak. But it does not mean that it will not happen. While the website “Wehaveyourdata” has reportedly been taken down, it does not mean that the pilfered data has been deleted from the internet. Whatever has been placed or posted in the internet, stays in the internet.
It is yet not known if marketing organizations had made a copy of the COMELEC’s database. The information about voters can be used by marketing organizations in a variety of ways in developing marketing strategies.
The pilfered data can also be sold. Even the COMELEC acknowledges that the data can be monetized. COMELEC’s James Jimenez has been quoted in reports as saying, “We also cannot rule out at this stage that this may be an attempt by the hackers to monetize the data they claim to have.”
How can a voter’s registration data be used?
The Office of Senior Citizens’ Affairs (OSCA) requires the presentation of a Voter Registration Certificate before it issues a Senior Citizen’s ID. An unscrupulous individual could simply generate a fake certification using a voter’s registration record to be presented to the OSCA. This is just one example. There are many ways of using voter registration data in the commission of identity fraud.
What can the COMELEC do?
Information security practice involves a mix of special knowledge and skills. Information security practitioners need to have a keen understanding of the computer hardware, the operating system, the database management systems, the applications, the language used in the development of the applications, networking, and the information security solutions (both software and hardware) adopted by the organization.
The poll body should establish an Information Security Management System (ISMS) backed by an organization of qualified and knowledgeable information security practitioners. While it is desirable, it may not yet be necessary to man the organization with certified information security professionals who are in short supply. It must focus on developing information security skills and practice not only among its information technology personnel but with all employees who handle confidential or sensitive information. Word has it that some personnel has been sent for training. Those who have been trained should be given the full support to translate their learning into good practice.
The COMELEC should also develop an Information Security Awareness Program to be promoted throughout the poll body’s organization.
Policies, procedures, rules and guidelines that will ensure that the ISMS is properly implemented across the organization, including external access to COMELEC’s information system through its web services need to be formulated.
The COMELEC should assess its current capabilities and develop an information security posture and adopt appropriate strategies that will protect the confidentiality, integrity and availability of data.
The poll body should likewise assess data protection solutions and adopt those that will help best protect data and the infrastructure that hosts the data held by the poll body.
The COMELEC should look into how it can appropriately respond to the mandates of the Data Protection Act.