Comelec data leak puts Filipino voters ‘at risk’ – Trend Micro

Michael Bueza
Supporting Rappler's initial findings, the international Internet security company’s own probe reveals that a huge amount of sensitive personal information was in the files leaked by the Comelec website hackers

MANILA, Philippines – An investigation by an Internet security software company revealed that a huge amount of sensitive personal information was in the files leaked by hackers of the Commission on Elections (Comelec) website. 

This makes Filipino voters “susceptible to fraud and other risks.”

In an April 6 entry on its TrendLabs Security Intelligence blog, Trend Micro’s research showed that “massive records of PII (personal identifiable information)” were in the files accessed by hacker group LulzSec Pilipinas and posted online on Sunday, March 27

Touting itself as a “global leader in IT security,” Trend Micro develops IT security software and solutions for businesses and consumers. Founded in 1988 in the United States, its global headquarters is currently located in Tokyo, Japan.

Its Anti-virus and Internet Security suite and its Business Security Services software each got 4 out of 5 stars from computer magazine PCMag.com.

Trend Micro’s findings were similar to what Rappler reported last week about the data leak. (READ: Experts fear identity theft, scams due to Comelec leak)

With records of 55 million Filipino voters affected by the leak, Trend Micro said that this may turn out to be the “biggest government-related data breach in history, surpassing the Office of Personnel Management (OPM) hack last 2015 that leaked PII, including fingerprints and social security numbers (SSN) of 20 million US citizens.”

The personal data in the leaked Comelec files fall under the category of data with high sensitivity, said Paul Oliveria, technical communications manager at Trend Micro.

While the Comelec has downplayed the website intrusion’s impact, Trend Micro’s findings revealed that “a huge number of sensitive personal identifiable information (PII) – including passport information and fingerprint data – were included in the data dump.”

Trend Micro feared that cybercriminals “can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion.”

Exposed

The data dumps, said Trend Micro, “include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone.” 

Rappler’s own investigation revealed that records of registered overseas Filipino voters (OFV) in the leaked files were not encrypted or converted into code so that it could not be easily read. This exposes the overseas voters’ names, birth dates, voter identification numbers (VIN), and current residence.

Meanwhile, the fields for names, birth dates and VINs in the local registration tables were encrypted. However, the rest were not. 

“Interestingly, we also found a whopping 15.8 million records of fingerprints and list of people running for office since the 2010 elections,” Trend Micro claimed. 

However, in the files that Rappler was able to examine, there seems to be no indication that there are images of fingerprint or biometrics data. 

In a follow-up email, Oliveria clarified that the fingerprint data they were able to uncover “appear to be their digitized or coded versions. It may be the output of the fingerprint reader used to encode this information. So they are not the actual scans or photos of fingerprints.” This means that groups with a criminal intent will need to take an extra step to decode the data and turn it into a fingerprint image.

Oliveria however emphasized that this information “is still highly sensitive” and will still allow potential hackers to decode it. 

Highly sensitive data

“What was initially mentioned by the Comelec is that what the hackers got were data already publicly available from the Comelec’s website. But our researchers found out that some of the data in the leaked files were not encrypted,” Oliveria told Rappler.

“There are the kinds of information that people are not necessarily willing to give away,” he added.

In its blog entry, Trend Micro said that highly-sensitive data “are confidential and restricted.” When stolen, the compromised data “may cause damage or harm to one or more individuals.” 

With those data out there, Oliveria said that the end users – or in this case, registered voters – “are at risk of the usual scams or identity theft. That may happen.”

He added that while technical skills are needed to open the leaked files, “the fact remains that the data is already in public space.”

“If somebody has the intent or drive to actually go through the data and sort through it, or sell it in underground markets, he or she could take advantage of that,” Oliveria noted.

Trend Micro echoed the concerns of IT experts whom Rappler had talked to about the data leak.

Rene Jaspe, an information security expert, and co-founder of local information security consulting company Sinag Solutions, said that in extreme cases, the voters’ personal information in those files could be used to commit identity theft. 

Meanwhile, National Citizens’ Movement for Free Elections (Namfrel) IT consultant Lito Averia feared that voters might fall victim to scams, for instance, as a result of the leaked data. 

Oliveria advised that the Comelec should now be careful about how to protect information moving forward. 

Verification 

Oliveria also took note of reports that the poll body has sought the help of the National Bureau of Investigation (NBI) Cybercrime Division to investigate the hacking incident.

In an earlier interview with Rappler, Comelec spokesperson James Jimenez said that the leaked files “may not even be the real thing.”

“Worst case scenario is they have copied it, but even then, there is no way for us to know if it is a faithful reproduction of what [the Comelec has],” Jimenez said. 

“That’s a good step, for them to verify first [if the leaked data is real]. But we researched on what was out there,” said Oliveria. “If they find that it’s not the same as what the Comelec has, then it’s well and good.” – with Wayne Manuel/Rappler.com

Michael Bueza

Michael is a data curator under Rappler's Tech Team. He works on data about elections, governance, and the budget. He also follows the Philippine pro wrestling scene and the WWE. Michael is also part of the Laffler Talk podcast trio.