2022 Philippine Elections

Comelec withholds payment to Smartmatic amid data breach controversy

Dwight de Leon
Comelec withholds payment to Smartmatic amid data breach controversy

HEARING. Comelec Chairman Saidamen Pangarungan attends a Senate panel inquiry on the alleged data breach involving the poll body's software provider Smartmatic on April 19, 2022.

Senate screenshot

Both the Comelec and Smartmatic, however, maintain that the incident will not, in any way, compromise the conduct of the 2022 polls

MANILA, Philippines – The Commission on Elections (Comelec) said it is withholding payment to its poll software provider Smartmatic, following a supposed data breach involving the latter’s online infrastructure.

Both entities, however, have insisted that the incident will not, in any way, compromise the conduct of the 2022 polls. 

In a hearing conducted by the Senate electoral reforms panel, Comelec Chairman Saidamen Pangarungan said that the third tranche of payment to Smartmatic worth P90 million has yet to be released.

That payment is part of the P402.725-million contract that Smartmatic secured in 2021 for the Comelec’s procurement of the automated elections system (AES) software for the May 9 vote. 

Including other contracts, Smartmatic bagged a total of P3.119 billion in deals for the 2022 polls.

“[The payment will be released] once we are convinced that Smartmatic is innocent about this leakage of data,” Pangarungan said on Tuesday, April 19.

Comelec withholds payment to Smartmatic amid data breach controversy
How serious was the supposed breach?

The brouhaha was caused by a rogue Smartmatic employee, Ricardo Argana. Based on the National Bureau of Investigation’s probe, the employee admitted on January 12 that he “shared his credentials to an unknown third person whom he met through Facebook Messenger allegedly in exchange of free lectures.” 

Here are some crucial points in the timeline of events presented by the NBI:

  • November 20, 2021 – Employee was deployed to Comelec warehouse “to run some tests on AES”
  • December 28, 2021 to January 2, 2022 – Smartmatic detected unusual traffic in its systems
  • December 29, 2021 – Employee brought home the laptop
  • January 3, 2022 – Employee returned the laptop
  • January 9, 2022 – Smartmatic detected unusual traffic again, and the credentials causing such were traced to the employee
  • January 14, 2022 – Hackers’ group XSOX sent email to Smartmatic, claiming it had “infiltrated” its networks

Smartmatic said the employee was fired in January, and that more stringent measures have been enforced since then.

For example, employees are required not to bring home their laptops, as opposed to the previous “honesty system” that the company implemented.

“This has zero impact on the elections,” Smartmatic spokesman and former Comelec commissioner Christian Robert Lim said. “The files obtained by [former employee] Argana had no relation to what the Comelec is preparing for the elections.”

The NBI also disputed the hackers’ claim that they were able to download 60 gigabytes worth of data. 

This is in reference to the Manila Bulletin report in January which first reported about the supposed data breach, although the Comelec later pointed out several loopholes in that story.

“When you compare it to the logs provided by Smartmatic, the former employee was only able to download 4 gigabytes of information,” said NBI cybercrime division chief Victor Lorenzo. “That is why even if XSOX is threatening Smartmatic and the public that they are going to expose sensitive information, until now, they have failed to fulfill their threat.”

Lorenzo added that the hackers behind the 2016 “Comeleak” scandal are being considered persons of interest in the alleged breach involving Smartmatic.

The Comelec, for its part, is still waiting for a final investigation report, but its law department recommended the blacklisting of Smartmatic, termination of contract, and filing of criminal cases as among the courses of action should the company be held liable for the supposed data breach. 

But the poll body’s steering committee head for the 2022 elections reiterated that regardless of the outcome of the probe on Smartmatic, the Comelec is unaffected.

“Our system is not in any way connected to the internet,” Comelec Commissioner Marlon Casquejo said. “We are quite sure there’s no cyber attack in our system.”

Tuesday’s Senate electoral reforms panel inquiry was led by its chairperson Senator Imee Marcos, whose brother Ferdinand Marcos Jr. is running for Philippine president. 

The two Marcos siblings have expressed skepticism about the credibility of the AES system, amid belief that Marcos Jr. was the victim of automated elections cheating during his failed 2016 vice presidential bid. In a unanimous vote in February, the Supreme Court sitting as the Presidential Electoral Tribunal junked Marcos Jr.’s protest against Vice President Leni Robredo. – Rappler.com

Dwight de Leon

Dwight de Leon is a multimedia reporter who covers local government units and the Commission on Elections for Rappler.