Comelec vows voters’ data breach won’t happen again

Camille Elemia
Commission on Elections Executive Director Jose Tolentino Jr says the poll body's website is more secure now, being hosted by the Department of Information and Communications Technology

DATA BREACH. The Commission on Elections assures the public the data leak in 2016 will not happen again. Photo by Angie de Silva/Rappler

MANILA, Philippines – Less than a year before the 2019 elections, the Commission on Elections (Comelec) gave assurances there would be not be a repeat of the voters’ data breach in 2016.

Responding to the question of Senator Antonio Trillanes IV, Comelec Executive Director Jose Tolentino Jr said the poll body now has tighter security than two years ago, citing the help of the Department of Information and Communications Technology (DICT).

“We are now being hosted by the DICT, unlike before when we just hosted our own website, and I think Undersecretary [Eliseo] Rio will be proud to say no one has been able to get into their system,” Tolentino said on Monday, August 6, during the joint congressional oversight committee hearing on the automated election system (JCOC-AES).

“Aside from that, we have backup of database…and it’s separate, it’s not connected to any website,” he added. 

Tolentino reiterated the agency’s claim that information leaked in 2016 did not contain biometrics data, such as photos, signatures, and fingerprints. He said the hacking involved data from the Find My Precinct feature but said the DICT had reviewed it. 

“So we’re good? We’re protected and we can respond accordingly in case of future attacks?” Trillanes asked.

“Yes sir,” Tolentino replied.

Tolentino maintained the leak did not affect the results of the 2016 elections “because the [compromised] website is not connected in any way to our automated system.”

On March 28, 2016 – or more than a month before the presidential polls – a group calling itself LulzSec Pilipinas accessed the data of the poll body’s website and posted them publicly.

The National Privacy Commission earlier found former Comelec chairman Andres Bautista criminally liable for the incident.

The data leak involved:

75,302,683 voters’ registration records (including deactivated or disapproved records) in the Comelec’s Precinct Finder web application

  • 1,376,067 records in its Post Finder web application
  • 139,301 records in its iRehistro portal
  • 896,992 records in its gun ban database
  • 20,485 records of firearms serial numbers
  • records of 1,267 Comelec personnel

The privacy body said Bautista’s “willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence.” –

Camille Elemia

Camille Elemia is Rappler's lead reporter for media, disinformation issues, and democracy. She won an ILO award in 2017. She received the prestigious Fulbright-Hubert Humphrey fellowship in 2019, allowing her to further study media and politics in the US. Email