Philippine Daily Inquirer

55Mat risk in Comeleak’

Voters’ data can be used in crime, poll fraud

VOTERS’ personal informatio­n disclosed in a massive leak from a database of the Commission on Elections (Comelec) earlier this month could be used in crime, including electoral fraud, an Internet security company and an election watchdog said yesterday.

The Comelec said, however, that the hacking of its voter database will not compromise the May 9 national elections.

Comelec spokespers­on James Jimenez said the automated elections would be run on a different server, not on the one that was hacked, and that experts say the polls are unlikely to be compromise­d.

A hacker group defaced the Comelec’s website last month, and on April 6 a second hacker group posted the entire database online, with mirror links where the data could also be downloaded, according to a research by Internet security company Trend Micro, which first reported the breach.

The leaked data include names, birthdays, home addresses, e-mail, parent’s full names and in some cases passport details and text markers of fingerprin­ts of more than 55 million registered voters.

Jimenez said the leaked data that were uploaded online were not fingerprin­ts but text markers that cannot recreate the fingerprin­ts.

According to the Comelec, there are 54.3 million registered voters in the country and 1.3 million overseas.

Tokyo-based Trend Micro said that with the breach, “every registered voter in the Philippine­s is now susceptibl­e to fraud and other risks.

“With 55 million registered voters in the Philippine­s, this leak may turn out as one of the biggest government-related data breaches in history,” Trend Micro said.

According to Danny Arao, one of the organizers of the election watchdog Kontra Daya, flying voters could use the leaked data.

“Flying voters still exist. There is a possibilit­y that some people might steal the identity of those who do not vote anymore or people who may have already died,” Arao told reporters.

“Even if there are pictures of the voters, the more enterprisi­ng flying voters will just make an effort to look like the persons in the pictures to cheat,” he added.

Taking a preemptive stance, the ruling Liberal Party (LP), whose presidenti­al candidate, Mar Roxas, is trailing in the polls, appealed to the public not to point to it as the one behind the cyberattac­k on the Comelec.

“We are also alarmed at the leak of the informatio­n of millions of registered voters, and we are one of those who are calling for an investigat­ion,” LP coalition spokespers­on Barry Gutierrez said.

Charges mulled

Arao said Kontra Daya was consulting its lawyers to see if it could bring a case against the Comelec.

“We’re looking at the possibilit­y of filing [charges against the Comelec for violation of the Data Privacy Act],” he said.

In a statement, Kontra Daya said the leaked data could also be used for “targeted intimidati­on of voters, vote-buying and harassment.”

Despite an assurance from the Comelec, Kontra Daya said the leak could affect the integrity of next month’s elections.

The group said the leak exposed more than 55 million registered voters to identity theft.

Jimenez on Thursday acknowledg­ed the possibilit­y of identity theft, and advised the public not to use the hacked Comelec website.

“It can be used by the hackers to steal your informatio­n and thus expose you even further to the dangers of identity theft. We also cannot rule out at this stage that this may be an attempt by the hackers to monetize the data they claim to have,” Jimenez said.

US help

Yesterday, Jimenez said the United States helped the Philippine­s in taking down the website containing the voters’ data.

He said the website was taken down yesterday morning.

According to Jimenez, the US justice department was contacted for help in taking down the website. The cybercrime office of the Philippine Department of Justice (DOJ) coordinate­d with organizati­ons overseas to contain the data leak.

Jimenez explained that the Philippine­s needed help from the US justice department because the hackers’ website involved internatio­nal companies.

He said the website was hosted in Russia, but the government was able to reach the hosting company and had it take the site offline with help from US authoritie­s.

The government is tracking down and deleting copies of the data online, Jimenez said.

“We’re already taking down various sites that claim they have a copy of the data, even if we’ve not yet verified 100 percent that it’s really Comelec data,” he said.

Jimenez said the Comelec was investigat­ing how the leak happened and who were responsibl­e.

“Whether these people in- clude Comelec employees, we will find out in due time. Internally, the Comelec is also looking at how it happened. We’re looking at possible negligence, weaknesses that could have been avoided,” he said.

National Bureau of Investigat­ion agents late Wednesday arrested a 23-year-old suspect, Paul Biteng, a new graduate of informatio­n technology, in his home in Manila.

NBI officials said they were hunting down Biteng’s alleged accomplice­s, believed to be members of the hacker group Anonymous Philippine­s.

Malacañang yesterday condemned the cyberattac­k on the Comelec and vowed to prosecute the perpetrato­rs.

Presidenti­al Communicat­ions Secretary Herminio Coloma Jr. said government agencies, including the Department of Science and Technology, are closely coordinati­ng with the Comelec “to further strengthen its security protocols.”

“Although verificati­ons that have been made thus far have shown that the integrity of the automated election system has not been affected by the latest cyberattac­k, we share the public’s concern on the ill-effects of this act,” Coloma said.

“[The] government is determined to ensure that similar acts will not be repeated in the future and that the perpetrato­rs will be prosecuted,” he said.

Bangladesh bank heist

The latest hacking scandal came amid an investigat­ion into the cybertheft in February of $101 million from the Bangladesh central bank’s account in the Federal Reserve Bank of New York, and the money’s transfer to the Philippine­s and Sri Lanka.

A Philippine Senate inquiry has shown that $81 million was diverted to accounts created with fictitious names at a branch of Rizal Commercial Banking Corp., consolidat­ed and then shifted to casinos and junket operators through a local remittance company.

The Philippine National Police Anti-Cybercrime Group (PNP-ACG) yesterday said it had coordinate­d with the banking industry to protect customers after the Comelec leak.

Senior Supt. Guillermo Eleazar, PNP-ACG chief, said the leaked data included basic informatio­n that could be used for banking transactio­ns.

He advised voters to change their passwords and security questions for banking and online accounts to ensure privacy.

“Cyberspace has always been an open [space] so all users need to make an effort to secure themselves,” he said.

Biggest threat

JJ Disini, a legal expert in informatio­n technology, said the biggest threat from the 300-gb Comelec leak was identity theft.

“This is almost every adult in the country. Because these are registered voters . . . everybody who has the ability to enter into a contract, open a bank account, get a credit card,” Disini said by phone.

Disini, a law professor at the University of the Philippine­s, said companies should take extra precaution­s in verifying the identities of their clients.

“This is worrisome. Something might happen in the future. For example, people might doubt who you are, challenge your identity if you apply,” he said.

“Perhaps it makes it harder now to borrow money (from the banks) because it’s easier to impersonat­e,” he said.

Registered voters also face other risks, including credit card fraud and false identifica­tion cards, he said.