The COMELEC Data Leak and Its Implications

Mike Togle
April 22, 2016

On March 27, 2016, the COMELEC’s website was hacked by Anonymous Philippines. A few hours after the announcement, another hacker group, LulzSec Pilipinas, posted a data dump of what it claims to be a COMELEC database containing voter and candidate information.

This incident caused a significant uproar locally, given our national elections are a month away. The incident also garnered major buzz internationally due to the fact that the data leaked was larger than the 4-million-record OPM data breach in the United States. This makes the COMELEC Data Leak the largest ever government hack.

Rather than speculate on how the hackers got in and stole the data, I want to dwell on the implications of this breach for the COMELEC and you, our dear voters.

Your data is out there. Deal with it.

Many organizations and individuals, including Trend Micro and Troy Hunt, analyzed the data and came to the conclusion that the database contains the legitimate data of 55-million registered Filipino voters.

Let that sink in for a moment: the private data of 55 million Filipinos is currently out in the open and possibly, fair game. Full names, email addresses, names of spouses, addresses, parents’ names, and passport numbers were some of the information obtained. Spammers could have a field day with the email addresses alone, not to mention the identity thieves.

Dear registered voter, I suggest you go to www.haveibeenpwned.com, and check to see if your email address is listed there. If it is, then I hope you have a good spam filter. Also be on the lookout for spear phishing mails as they now have enough information about you to make it convincing.

To add insult to injury, it seems digitized fingerprint data was also included in the data dump. It can’t get any more personalized than that. Expect a lot of government agencies, not the least of which would be the FBI, NSA and CIA to include your fingerprints into their AFIS databases. I hope you haven’t been naughty, dear voter.

There is no putting this genie back in the bottle. You can get a new email address, but it’s doubtful you’ll be moving to a new apartment or condo anytime soon.

Lapses in Judgment by COMELEC

It seems to have escaped the attention of whoever was in charge of information security in the COMELEC that the Philippines enacted a Data Privacy Act (DPA) in 2012 (RA 10173). Sections 20 and 21 of the DPA require entities that hold and control personal information to ensure that security measures are in place to protect the personal information they hold. It also requires them to notify the people whose personal information was leaked.

Given that the data dump was provided in a clearly readable format, I recommend that COMELEC contact whoever designed their application and database and try to get their money back.

And, we, the ones whose data have been stolen, are still waiting to be informed.

The COMELEC continues to stay silent on the nature of the data that was stolen, only going as far as to issue a statement that no biometric data was leaked. Such a statement flies in the face of the evidence contained in the data dump that was uploaded, which clearly shows fields marked to store fingerprint data.

So much for Biometric Validation

Biometrics Information

Recently, the COMELEC has announced that it will not implement the Voter Verification System (VVS) that serves to validate a voter’s credentials against his biometric data before allowing him/her to vote. In its place, the COMELEC will implement the usual slow manual procedure we’ve seen in previous elections.

More than the slowness, the fact that it relies on someone to look up a voter’s registration and validate credentials the old way does little to assure the voting public that mistakes or shenanigans will not take place. Without citizen-enacted checks and balances to ensure integrity of the electoral process and results, we can expect losing candidates (and voters) to cry foul, and claim to have been cheated.

But wait, there’s more!

Perhaps the scariest realization I’ve had is the thought that if people can get the data out of COMELEC’s systems, what if they were (or are) also able to REMOVE, CHANGE data or PUT data in?

Think about it.

And, do you think it is time to hide somewhere far, far away for some time?

Escape the Data Leak?

I wouldn’t want to leave you guys on a sour note, so here are some tips on how to protect yourself:

Do not visit the website where the data was posted; Hackers could be monitoring who visits the website and what information is looked up. They could make connections based on what data was searched for. Also. since the site is receiving a tremendous amount of traffic right now, hackers may have planted malware on the website that could compromise your PC or mobile device just by visiting it.
If you are concerned whether your email address is part of the 200,000 email addresses leaked, please visit www.haveibeenpwned.com. It is a well-known site that tracks data breaches and lets you know if your email address was compromised by a breach. The site’s owner, Troy Hunt recently updated his database to reflect the recent COMELEC breach.
Make a list of all your accounts — email, bank accounts, credit cards, memberships, etc. If any of those accounts use security questions that are answerable by any of your data in the fields highlighted above, change the questions ASAP. You can do this online for some, but for the rest it is best to pay them a visit. Don’t forget to bring several valid IDs with you when you do.
Check your billing statements and other statement of accounts. Look for changes in your account details and unusual/unexpected transactions.
Enable multi-factor authentication whenever possible. Have a one-time-pin (OTP) sent to your mobile device whenever you log in to your account and whenever you change your password or other account details.
Some companies provide a service where they send you notification whenever your account is accessed (ex. BPIExpressOnline). Contact them to have these features enabled.
Watch out for spear phishing – a targeted form of email phishing scam where emails sent by scammers are personalized to you, which make them more believable. When in doubt, check the email source details and verify that the email is coming from the correct email address of the person who sent it to you. You could also forward the email to the sender (do not click REPLY TO), or better yet, call him/her to verify if they did indeed sent the email.
Since your home address has been leaked as well, be careful about receiving letters and packages that you are not expecting and visitors that you do not know.
If you are currently residing abroad, warn your parents and other people living at your home about this threat.

If anyone has any other tips that they would like to share, please place a comment below so that we can add them to this list.

Also, here are more tips from Inquirer on how to avoid being a victim of identity theft — Tips to avoid becoming an identity theft victim.

— UPDATE Apr 23 12:30PM —

We found a Facebook Post in ProtectPinas that also has a lot of useful advice, and here are just some parts of the post:

WHAT SHOULD YOU EXPECT?

If your personal information is compromised, here are the possible things that might possibly happen to you:

Credit card fraud thru over the phone or online purchases with assistance from your credit card company by providing personal details
Access to your bank accounts and information by providing your personal details – Receive phishing e-mails coming from individuals or institutions identifying itself as a bank asking information of password or PIN reset
Take over your email and social media accounts (Facebook, Instagram, Twitter, etc) by requesting a request password

HOW DO YOU PROTECT YOURSELF?

These are the things you can do to protect yourself:

Use password management applications such as 1Password or Passkeeper
Change your forgot password secret question and answer making sure to avoid using “Mother’s Maiden Name” as your secret question and answer
Use two-factor authentication for all your online banking accounts. If possible, avoid using your cellphone number and use mobile applications and/or physical security devices for two-factor authentication
Do not respond to calls from anyone asking you for your personal information, especially your full name, address, and mother’s maiden name. Only provide such information if you’ve called your bank yourself, and as much as possible limit these interactions.

You can check out the complete post here: What To Do To Protect Yourself If Your Personal Info Is Compromised Due to the Recent COMELEC Database Hacking Incident

— UPDATE Apr 23 2PM —

We found this enlightening video of the extent of possibilities and damage of how hackers can use information to gain access to your accounts. Thanks to Fusion’s Youtube Channel for this very useful video, and here’s their supporting article about it.

____________

Rene Canlas is a Software and Hardware Technology Professional with over 20 years of experience in Information Technology. Rene has a keen interest in technology as it applies to improving everyday life. His expertise include IT Security Consulting, IT Project Management, Software Architecture Development, Systems Administration, Database Administration, and Technology Lifestyle Consulting.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.