Bautista to face impeach raps?
Commission on Elections (Comelec) Chairman Andres Bautista may face an impeachment complaint following the recommendation of the National Privacy Commission (NPC) to file criminal charges against him over the massive voter data leak last year.
The NPC has also recommended to the Department of Justice (DOJ) a probe of the National Bureau of Investigation for the breach.
Anthony Ian Cruz, president and co-founder of consumer advocacy group TXTPower, said filing an impeachment case against Bautista was an option for those who were affected by the “Comeleak.”
“It is a subject of an exhaustive legal study. We are looking at all the legal options
available to hold the Comelec and its officials for their criminal negligence that led to the leak,” Cruz told The STAR yesterday.
“Impeachment is one of the options available now, especially with the findings of the NPC. This option wasn’t available or feasible when the incidents happened. There are already ideas on how to present the impeachment complaint, the direct victims of the impeachable acts and the complainants,” he added.
TXTPower earlier lauded the decision and pushed for the immediate filing of criminal charges against Bautista for violating the Data Privacy Act of 2012.
“We agree with the NPC that the Comelec, led by Chairman Bautista, should face criminal charges for their epic negligence and gross ignorance of duties that led to this world’s biggest and worst data security breach of data collected and held by a government agency,” the consumer group said.
“If Chairman Bautista and the Comelec could shamelessly claim credit for purportedly successful elections, they should also be ready to admit accountability when they violate the law, which is clear in this case,” he added.
Romel Bagares, counsel in a separate complaint filed against Comelec over the data leak, agreed that the decision could be used as basis for an impeachment complaint.
However, they have yet to consider that option as their complaint is still pending with the privacy commission.
Bagares said the ruling released by the NPC on Thursday was the decision on the investigation initiated by the body even before a complaint in relation to the leak was filed.
“The decision we expect in our own case should not be far from that issued by the NPC in this first proceeding,” he told “At the same time we also wish to stress that we have other grounds and remedies not covered in this first decision.”
Bautista earlier questioned the jurisdiction of the NPC in handling the case, noting that its implementing rules and regulations had not yet been crafted when it started the preliminary probe.
But in its ruling, the privacy commission stressed that the law, signed in 2012, was a selfexecuting law and had been in effect since its promulgation.
It also noted that the law mandated the body to investigate all matters involving informational privacy and violation of data protection even without a complainant.
In its 35- page decision, the NTC found Bautista – as head of the agency – of having violated certain provisions of the data privacy law over his supposed negligence that resulted in the theft of voter information in March 2016.
It recommended that the DOJ initiate criminal prosecution of Bautista, as well as conduct further investigation for possible violation of Republic Act 10175 or the Cybercrime Prevention Act of 2012.
Cleared from charges were Comelec Commissioners Christian Robert Lim and Al Parreño, executive director Jose Tolentino Jr., spokesman James Jimenez, information technology department directors Ferdinand de Leon and Jeannie Flororita, and management information systems chief Eden Bolo.
Was NBI also involved?
In its 35-page decision dated Dec. 28, the NPC sought an investigation of the NBI after “finding that there was an unauthorized exfiltration of data” from the Comelec web server on March 23, 2016, “through a computer with an IP (internet protocol) address of 202.90.136.202, registered with the (NBI).”
The NPC said the investigation should be done for possible prosecution of those who would be found liable under the Cybercrime Prevention Law.
The decision noted that from March 20 to 27 of last year, “on several occasions, unknown actors, using different networks and IP addresses, exfiltrated the contents of the Comelec website, including the voters’ databases contained therein.”
“In other words, there was unauthorized access to several databases that Comelec kept and maintained on the Comelec website,” the NPC decision read. “These databases held personal information as well as sensitive personal information that may be used to enable or perpetrate identity fraud.”
“In particular, one large exfiltration occurred on the evening of March 23, 2016, by a computer with a registered IP address of 202.90.136.202,” the NPC said, adding that it “later learned that this IP address was assigned to the NBI” from Oct. 13, 2015 or six months prior to the exfiltration.
Notwithstanding the size and scale of the exfiltration, the NPC said firewalls and automated warning systems installed by the Comelec’s Information Technology Department did not report anything amiss.
“In fact, the downloading was treated as a legitimate request by the firewall,” the NPC also said.
A firewall is part of a computer system or network designed to block unauthorized access while allowing outward communication.
On the evening of March 27, 2016 or four days after the supposed exfiltration of data by an NBI-registered IP address, a group introducing itself as Anonymous Philippines defaced the Comelec website.
Moments later, another group called LulzSec Pilipinas posted on its Facebook account that it was able to download at least 320 gigabytes of data from the Comelec website, which were posted on both Facebook and file-sharing platforms.
With the copies of the uploaded files still circulating on file-sharing platforms, the NPC said that “once copies of a database containing personal and sensitive personal information are made freely available to the public, it is next to impossible to contain.”
“These data are most likely in the hands of criminal elements, and may be used at any time in the near or far future for malicious ends,” it said.
NPC commissioner Raymund Liboro said the NBI must undertake “housecleaning” because of the incident.
“They should really look into it,” Liboro said.
Meanwhile, an information technology expert told The
STAR yesterday that the supposed Comelec website hackers nabbed by the NBI in April last year just really wanted to check the vulnerability of the website.
“I believe that in introducing themselves as security analysts, they saw that the website really had lapses,” he said, requesting anonymity.
Paul Biteng and Joenel de Asis, both in their 20s, were arrested by the NBI inside their respective houses in Sampaloc, Manila and Muntinlupa City in late April last year, almost a month after the defacement of the Comelec website.
But moments after de Asis’s arrest, a user-friendly website called wehaveyourdata. com published personal details of voters, where they could search for information.
The NBI accused Biteng of defacing the Comelec website, and De Asis of downloading 340 gigabytes of data and leaking this on the internet.
Biteng, in his defense, claimed that he was working as computer security analyst and his job was to check the vulnerability of certain websites to hacking, while De Asis said the NBI only saw browsing logs on his computer that the law enforcers seized.
A government source sees two possibilities for an NBIregistered IP address to exfiltrate or download data from the Comelec website.
“Either it was masked to make it appear that exfiltration was from the NBI or there was really an NBI (agent who was a) member of Anonymous (Philippines) and shared the vulnerability of the Comelec website,” the source told The STAR.
In computer jargon, data masking is a method of creating a structurally similar but inauthentic version of an organization’s data that can be used for purposes like software testing.
However, the source noted the NPC should have found out if the alleged NBI-registered IP address was legitimate.
Also, the source noted that hackers would not use registered IP addresses for hacking websites since “anonymity is the name of the game.”
–