MANILA, Philippines – The Commission on Elections on Tuesday, April 12, said it is set to file charges against the hackers of the Comelec website, and is willing to sanction its own people over this unprecedented breach of online security.

Hackers on March 27 said they had accessed the Comelec’s database of 55 million registered voters.

“Obviously, Comelec has to run after the people who actually did this. Once they are identified and apprehended, there will be legal actions taken against them, as well as those who have been taking advantage of what they did,” Comelec spokesman James Jimenez said in a news conference.

Ronald Aguto Jr, chief of the cybercrime division of the National Bureau of Investigation, said the NBI already has a “very good lead” on the identity of the hackers.

“We were hoping that in the next few days, we’ll be able to identify, arrest, and charge the persons responsible,” Aguto told reporters.

Aguto said possible cases against them include a violation of the Cybercrime Prevention Act of 2012.

While preparing charges against the hackers, the Comelec is also open to sanctioning its own personnel, Jimenez said. This is “part of any full-bodied response to anything like this.”

He said the process of possibly sanctioning its people “has already started internally in the Comelec.”

Comelec: We can protect votes 

For one, Jimenez said, people maintaining the Comelec website “have been moved to non-sensitive tasks.” This means that while the investigation is ongoing, the involved Comelec personnel will not be given “sensitive responsibilities.”

Data privacy lawyer Marlon Anthony Tonson, for his part, believes the Comelec could be sued for “failing to protect personal information.”

Citing information security experts, Rappler reported on April 1 that this is considered the biggest leak of personal data in Philippine history. 

On April 6, the Internet security software company Trend Micro confirmed that the data leak has made Filipino voters “susceptible to fraud and other risks.”

Jimenez, however, cautioned the public against immediately believing that the “data dump” is authentic. 

He said the validation of this data dump “is ongoing.” 

“Considering that Trend Micro has no access to the actual databases of the Comelec, it is impossible for Trend Micro to have done such validation itself,” Jimenez said in a PowerPoint presentation.

He added, “The blog’s misrepresentation of the data dump as authentic, therefore, is irresponsible at best.” 

Jimenez earlier said that, despite the hacking, the Comelec can protect the public’s votes on May 9. After all, the Comelec website, www.comelec.gov.ph, is separate from the site where the poll body will upload election results.

He said, too, that the system running the Comelec website is different from the one that runs vote-counting machines. He described VCMs as “standalone.” – Rappler.com