MANILA, Philippines – Was the Commission on Elections (Comelec) negligent when it failed to block hackers who obtained and publicly shared sensitive voter information?
Information security experts fear that what can be considered as the biggest leak of personal data in Philippine history could result in massive identity theft by preying criminals. This, after hackers boasted on March 27 that they had accessed the Comelec’s database of 55 million registered voters and uploaded it online.
Prior to that, the Comelec’s homepage was defaced by a group that introduced itself as Anonymous Philippines. The message was clear: activate security features in the vote-counting machines for the May 9 national and local elections.
Another group, LulzSec Pilipinas posted also on March 27 an online link to the Comelec’s “whole database”. By the afternoon of March 28, LulzSec Pilipinas updated the post to add 3 mirror links to an index of files that could be downloaded.
While much of the data in the files are election-related information already accessible through the Comelec website, the entire voters’ registration data set is not supposed to be shared with the public.
Rene Jaspe, an information security expert, founder and chief security officer of local information security consulting company Sinag Solutions, said he is “worried about the voter registration data. It’s identifiable data.”
Jaspe, who had previously worked for a defense contractor in the US for over a decade also said the Comelec “should have been more diligent.”
In extreme cases, the voters’ personal information could be used to commit identity theft. “With that kind of info, you can already open a [fake] bank account” or create a fake driver’s license, Jaspe warned.
In the US and other countries, he added, datasets like these are even “sold” in underground markets.
National Citizens’ Movement for Free Elections (Namfrel) Information Technology consultant Lito Averia said that some voters might even be “targeted” by individuals with criminal intent, using the data contained in this leak.
“You might fall victim to a scam, for example, if the scammers know how they could get in touch with you. If you’re targeted, the criminal might know how to find or identify you,” said Averia.
What was hacked
LulzSec Pilipinas released 16 databases that were allegedly retrieved from the Comelec website. All in all, there are 355 tables in these databases.
When we checked what was posted online, here’s what we found, among others:
- The largest of these databases has the term “web” in its name. It’s identical to the filename specified by Anonymous Philippines in the video it posted regarding the hacking. It has a file size of more than 338 gigabytes (GB). This is roughly equivalent to over 3 million web-optimized photos, around 96,571 songs in MP3 format or 85 movies in DVD format. It is also over 600 times bigger than all the other databases combined.
- The “web” database has 103 tables, the names of which seem to refer to election-related data, like “candidates”, “partylist”, “elected” and “stats.” Some even contain election years and the type of polls (national and local elections, or barangay and Sangguniang Kabataan elections).
- Almost 80% of the “web” database is occupied by 8 versions of a table that carries the term “ERB”, which could stand for Election Registration Board. ERB hears all applications for registration by eligible voters.
- The final version of these tables contains 75.3 million rows of records about people, with 54.28 million rows not tagged as disapproved. This approximates the 54.36 million registered voters for the 2016 elections, as announced by the Comelec.
- Some personal data in the local voter registration tables – like voters’ names, birth dates, and Voter’s Identification Numbers (VIN) – are encrypted or converted into code, and therefore more difficult to decipher. The rest are not – such as the fields for residential address and birthplace.
- Records of registered overseas Filipino voters (OFV) seem to be in another set of 10 tables, taking up almost 10 GB of the “web” database file. In these tables, even the name, birth date, VIN fields and current residence were not encrypted. Worse, for some records, the names of the parents, birthplace and passport numbers could be identified by just knowing the names of the overseas voters. Banks usually use these details to verify the identity of a person.
Email addresses, tax identification numbers
One database appears to contain information entered in an online application form on the iRehistro portal of the Comelec website. This portal facilitated the scheduling of appointments for voter registration from 2014 to 2015.
These tables contain more information per registered voter than those in the “web” database, but it involves fewer people. Only the name and birthdate fields in these tables are encrypted. Fields like the residential address, email address, full names of both parents, and tax identification number are readable by humans.
We checked for records of some voters we know to have registered – searching only in the unencrypted fields – and were able to confirm their street addresses and other unencrypted details mentioned above. We also checked records of people we know who registered for overseas voting and found their actual data.
The Comelec has said the hackers only obtained information already appearing on the poll body’s website.
But Jaspe, the information security expert, said that while the system for the website is independent of the automated election system, “[some] could equate this incident to everything related to Comelec and the elections. It’s a matter of perception.”
‘It may not even be authentic’
In a phone interview with Rappler on Friday, April 1, Comelec spokesperson James Jimenez said that the files that were leaked may not even be the real thing.
“We cannot say for certain if what they have is authentic. That is why we have sought the help of the NBI (National Bureau of Investigation),” Jimenez said.
“Worst case scenario is naka-kopya sila (they have copied it), but even then, there is no way for us to know if it is a faithful reproduction of what [the Comelec has],” he added. “So we should not jump into conclusions on what they have, because it may not even be the real thing.”
Jimenez also downplayed the idea of using the data in the leaked files to commit identity theft. “[They] have a list of names and addresses. That’s pretty much it. I think it’s going to be more complicated than that, when creating a bank account, for instance.”
As for the appearance of personal information in these leaked files, Jimenez suggested that we send our observations to the NBI. “I have not seen it. If you’re doing this investigation, please send to the NBI and help us.”
Fortify the site
If the leaked databases indeed contained voters’ registration data, Averia surmised that the computerized voters’ lists on election day – if the Comelec hasn’t completed it yet at this point – might be corrupted as well. “You’ll have problems on election day [when this happens],” he said.
“If one can’t find his or her polling precinct, there will be confusion. If your name is not on the voters’ list, the board of election inspectors will not allow you to vote,” he added. He conceded that the voters’ list can still be reprinted from back-up copies, if it exists.
Jimenez, however, said the Comelec’s database of voters remains intact because the hackers don’t have access to change it. The voters’ registration database with the Comelec, he added, would be the basis of the voters’ list on election day.
Nonetheless, Averia strongly suggested that the Comelec seriously look into this incident and take measures on how to resolve the problems.
“It’s not only restoring the website but also fortifying it, by applying software patches, for example,” Averia said. “They should also determine the extent or scope of that data that was leaked.”
Jimenez warned against people sowing confusion following the incident, especially those saying that it would affect the May 9 elections. “They’re riffing on the general fear of hacking. It’s a very iffy syllogism… and they’re taking advantage of the lack of information of the public regarding this.”
The poll body has assured the public it can protect the votes cast on election day despite the hacking incidents. – Rappler.com
Editor’s Note: Rappler is one of the media entities permitted by the Comelec to allow its users to check their precinct and voter registration status via the Precinct Finder API. Access to the API through phvote.rappler.com, is available on a one record per query basis only. Rappler signed a non-disclosure agreement with the Comelec and is bound not to divulge specific features of the system for security purposes.