ComeLeak: Your personal data now with cyber-criminals
When its website hacking was exposed here, among others, the Comelec dismissed the incident as mere vandalism. Experts were quoted describing the leak of 55 million voters’ personal data as the biggest breach of government cybersecurity in the world (see http://www. philstar.com/opinion/2016/04/11/1571677/ hacking- exposes- 55- m- voters- identitytheft). The Comelec belittled the stolen databases as just the precinct assignments of voters.
Now the National Privacy Commission no less is saying that the breach is so grave that everybody is at risk. “Our data are out there, the danger is there, even if it’s not immediately apparent right now,” warns deputy commissioner Ivy Patdu. “It can be felt years from now. The data could be used for malicious purposes at any time.”
Imagine what the cyber-criminals can do with our personal info. They can steal our bank deposits, peer into our emails, and plant our stolen identities, including fingerprints, in crime scenes.
Following are excerpts of the NPC report on the kind of info made public due to Comelec’s criminal negligence:
“From 20 to 27 March 2016, on several occasions, unknown actors, using different networks and IP addresses, exfiltrated the contents of the Comelec website, including the voters’ databases contained therein. In other words, there was unauthorized access to several databases that Comelec kept and maintained on the Comelec website. These databases held personal information as well as sensitive personal information that may be used to enable or perpetrate identity fraud.
“In particular, one large exfiltration occurred on the evening of 23 March 2016, by a computer with a registered IP address of 202.90.136.202. This Commission later learned that this IP address was assigned to the National Bureau of Investigation (NBI) from 13 October 2015, or six months prior to the exfiltration.
“Notwithstanding the size and scale of the exfiltration, the firewalls and automated warning systems installed by ITD did not report anything amiss. In fact, the downloading was treated as a legitimate request by the firewall.
“On the evening of 27 March 2016, unknown persons calling themselves “Anonymous PH”, changed the homepage for the Comelec website, in a process known as website defacement. Soon after, the NBI reported that it was Biteng who allegedly committed the website defacement.
“Later that same evening, a group identifying itself as LulzSec Pilipinas, claimed to have downloaded the entire Comelec website, including the databases there kept. The size of the exfiltrated files totaled at least 320GB. Together with their announcement, the group uploaded these files on several popular file-sharing platforms and advertised these links on their group page on Facebook. The ITD discovered the data breach when this post became viral.
“While the Facebook post with working links has since been deleted, copies of the files so uploaded are still circulating on file-sharing networks. This Commission notes that once copies of a database containing personal and sensitive personal information are made freely available to the public, it is next to impossible to contain. These data are most likely in the hands of criminal elements, and may be used at any time in the near or far future for malicious ends. The harm to data subjects arising out of a personal data breach are not immediately apparent; the danger exists nonetheless.
“The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with 139,301 records; ( d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the Comelec personnel database, containing records of 1,267 Comelec personnel.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/ deactivation, registration date, and update time.
“The voter database in the Post Finder application contained information on each voter’s verified name, date
Be afraid, be very afraid. Your bank deposits can vanish, your emails hacked, your identity planted in a crime scene.
of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system.
“Of the records in the iRehistro database, aside from containing information already required in a voter registration form, the database also included 40,706 records with taxpayer identification numbers, and 17,205 records with passport information.
“Of the records in the firearms ban database, there were 10,179 records containing application form information, including owner, serial number and license number of the firearms.
“Immediately after the breach, the different SQL databases of Comelec containing personal data were made publicly available, as reported by the Information Communications and Technology Office (ICTO), the assigned Forensic Investigator of the NBI, and the Comelec.
“Less than a month after the security incident, Comelec formally informed this Commission about this incident. However, the letter did not indicate the gravity and/or extent of the security breach, the number of records involved, and the type of personal data compromised. It also did not include any information on any action or plan of action to address the affected data subjects. The letter also did not indicate who was designated as the person responsible for data security or compliance with the requirements of the Data Privacy Act of 2012.”
* * * The NPC saw no proof of the ComeLeak affecting the election result. We can’t be too sure. Due to the altering of certain entries in the vote-count server, doubts linger about the Vice Presidential race. Unexplained too was how new, little known parties mustered enough national votes for sectoral congressmen.
One wonders to what other malice the Comelec has exposed us Filipinos. * * * Catch Sapol radio show, Saturdays, 8-10 a.m., DWIZ (882AM). Gotcha archives on Facebook: https:// www. facebook. com/ pages/Jarius-Bondoc/1376602159218459, or The STAR website http://www.philstar.com/author/Jarius%20Bondoc/GOTCHA