MANILA, Philippines – The Commission on Elections (Comelec) is facing an investigation for another possible data breach after one of its computers in the town of Wao, Lanao del Sur, was stolen.

Comelec Chairman Andres Bautista confirmed to Rappler on Thursday, February 16, “Merong computer sa election office ng Wao, Lanao del Sur, na nanakaw.” (A computer in the election office of Wao, Lanao del Sur, was stolen.) 

Bautista said this computer fell in the hands of thieves in January.

Rappler learned from an informed source that the stolen computer contains the sensitive personal information, including the biometrics, of the Philippines’ 55 million voters.

The incident comes after the National Privacy Commission (NPC) said Bautista is “criminally liable” for the leak of voter data in March 2016 – the biggest leak of private data in Philippine history.

Bautista said the Comelec’s data protection officer and executive director, Jose Tolentino, earlier reported the theft in Wao to the NPC.

Bautista then assured the public that the data in the stolen computers had been encrypted, making these less susceptible to a breach.

“Hindi naman nila basta basta makukuha ‘yung data (They cannot easily access the data),” the Comelec chairman said. 

In a separate interview with Rappler on Thursday, NPC Deputy Commissioner Dondi Mapa said their commission is investigating this issue. 

‘Ball in Comelec’s court’

Mapa said the NPC is exploring the possibility that the Comelec failed to comply with the Data Privacy Act of 2012. 

Section 20 of the Data Privacy Act of 2012 states that the personal information controller – in this case, the Comelec – must safeguard personal information “against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.”

The law also requires the personal information controller “to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.”

“Persons who, due to negligence, provided access to personal information without being authorized” will have to pay a fine of P500,000 to P4 million ($10,000 to $80,100).

At the same time, the law says “accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from 3 years to 6 years.” 

Mapa said the NPC is also checking if a criminal act is involved – if, for example, a Comelec employee committed the data breach.

“We’re cooperating with Comelec. Right now, the ball is in their court,” Mapa said.

Still, a Rappler source said the Comelec needs to answer a bigger question: every municipality in the Philippines reportedly holds the biometrics of all of the Philippines’ 55 million voters.

Bautista is referring us to Tolentino for confirmation as of posting time.

If indeed there was a breach, information technology expert Lito Averia told Rappler this would be negligence on the Comelec’s part. 

Referring to the poll body, Averia said, “Nagkasala ka na, nagkasala ka na naman ulit.” (You made a mistake before, you made a mistake again.) – Rappler.com

$1 = P49.93