What have we learned a year since 'Comeleak'?
MANILA, Philippines – The Philippines was 6 weeks away from the 2016 national elections. The Commission on Elections (Comelec) had its hands full to ensure an orderly conduct of the third-ever automated polls.
The National Privacy Commission (NPC) had also just begun to operate, following the appointment of its first commissioner in early March.
Then, on the night of Easter Sunday, March 27, the unexpected started to unravel.
Hackers group Anonymous Philippines defaced the Comelec's website to send a message: Beef up the security features of the vote-counting machines.
The next day, March 28, it was reported that another group of hackers, LulzSec Pilipinas, accessed the database containing over 70 million registered voter records, both active and deactivated.
The hackers leaked the voter records database online, along with other databases they got hold of, in an incident which has since been known as "Comeleak." It is considered the biggest leak of personal data in Philippine history, and among the biggest breaches of a government-held database in the world.
Ten months later, the Comelec got embroiled in another incident involving voter records, in a break-in in one of its local offices in Lanao del Sur.
These put the Comelec and the NPC to the test, especially after the enactment of Republic Act 10173 or the Data Privacy Act of 2012.
At first, the Comelec was concerned about the vandalism, like what happened to government websites that had been similarly defaced by hackers, said its spokesperson James Jimenez.
The hacking also led to the loss of access to the Precinct Finder and Post Finder applications, which voters can use to verify their voter registration record. As of this posting, both applications remain unavailable on the Comelec website.
The Comelec temporarily shut down its website for a few hours to make the necessary fixes. Then on April 19, the poll body created a task force to study the incident and to present solutions.
As soon as it became possible, Jimenez said, "We moved [hosting of the website] to facilities of the Department of Science and Technology (DOST), which means, we also moved it behind several firewalls and then a CloudFlare [security service]."
"As far as the database is concerned, initial investigation showed that the bulk of information that was exposed was...already publicly available" via the Precinct Finder and Post Finder, Jimenez said.
"It was only later that it was discovered that other information had been breached, and that other databases had been breached. So, the initial reaction for the Comelec, of course, was to report the matter to the NBI [National Bureau of Investigation]," he continued.
Jimenez reiterated there were no biometrics data on the leaked databases – only "markers" or indicators, not actual digital images of fingerprints. (READ: Experts fear identity theft, scams due to Comelec leak)
On the conduct of the 2016 polls, Jimenez said the consequences "were practically nil," explaining that the website was just for information purposes, and separate from the automated election system.
The NPC sent a letter to the Comelec, ordering them to fully notify the privacy body of the incident. It then conducted fact-finding sessions with the Comelec starting May 19.
"The Comelec, by and large, was really very cooperative in our investigation," said NPC Commissioner Raymond Liboro.
It then ordered the Comelec on June 21 to issue notifications to affected data subjects and set up a Voter Care Center for the public's queries and concerns.
The NPC also directed the poll body to appoint a data protection officer (DPO), hold seminars within Comelec on data protection and the Data Privacy Act, conduct data breach drills, and have an independent security audit, among others.
"Because of the first incident, we really saw their efforts to comply with what was ordered," Liboro said.
Meanwhile, authorities started closing in on the hackers.
Biteng and De Asis "don't know each other personally," said the NBI, and just interacted on social media. The NBI said Biteng defaced the website "just to show its vulnerability." De Asis, meanwhile, was said to be among those who downloaded and leaked the voters' database.
Incidentally, a day after Biteng's arrest, the breach escalated when a searchable website using the leaked data was put up. The said website was immediately taken down by authorities.
"The first thing we warned people was, try not to use it...because it might be a phishing site," he explained.
Information such as this, said Jimenez, "should be the first line for the response. Unfortunately, in a lot of cases, the first response has always been to try to pin the blame on someone."
"We've never dodged the responsibility for this," he said. "We've always said, yes, something went wrong. Yes, it has to be fixed. But, right now, at this very moment this thing is unfolding, the most important thing is to make sure it doesn't get any worse."
Before 2016 ended, the NPC wrapped up its probe. On December 28, it promulgated its decision, finding Comelec Chairman Andres Bautista "criminally liable" for the voters' data leak, in his capacity as the head of agency of a personal information controller.
Bautista responded to the decision, saying the victims of the hack should not be the ones punished.
Woe in Wao
As if Comelec's troubles weren't enough, another incident rocked the poll body two weeks after the NPC's recommendation.
On January 11, 2017, suspected robbers broke into the office of the election officer in Wao, Lanao del Sur, and stole a computer. The Comelec confirmed that the stolen computer contained a copy of the national list of registered voters (NLRV).
For Jimenez, the incident "seems to me to be a burglary." He also pointed out that the NLRV database was encrypted.
"To say that it was per se a data breach might not be entirely accurate," he said. However, with the data in the stolen hardware, "the potential for a data breach exists. But again, we are fairly confident that our encryption is holding."
NPC's probe into the Wao incident is ongoing. It had ordered the Comelec to delete copies of the NLRV in local Comelec offices at the city and municipal levels, and to put in place additional measures to control access to it.
Liboro noted "a big improvement" in the Comelec's response, in part because of its appointment of a data protection officer, executive director Jose Tolentino Jr.
"In the first incident, they didn't even know how to notify, what should be included. With the guidance that we issued...they knew the drill after the 2nd incident."
Nonetheless, Liboro said the break-in at Wao is a "stark reminder that data breaches can be caused by physical gaps."
Jimenez said the Comelec has been struggling with its current physical facilities. "We do not have our own offices in the field. We are basically at the mercy of local governments, whether or not they'll give us decent office space."
"If I were to force a bright side, it's that it underscores the urgency of our request to have more resources to put into securing our field offices," he continued.
Danger still lurks
A year since the data breach, Jimenez reported that the Comelec had received "basically zero calls" regarding cybersecurity concerns through its hotline. "However, having said that, we also know and we appreciate the seriousness of the situation."
IT consultant Lito Averia emphasized that the leaked data "is still out there" on the internet.
While he hasn't heard of any incident linked to the leaked voter records, "the thing is, we don't know when that database would resurface."
Averia also noted that while the Comelec may have acted to comply with the NPC's '5 commandments' in data privacy, "we don't know to what extent they had complied, and whether their compliance is effective to protect the database from illegal access."
For instance, Averia wondered whether all city and municipal Comelec offices had complied with NPC's order to delete copies of the national voters' list after the Wao incident.
"To regain the confidence of the voting public, the Comelec should be more transparent with the actions they have taken," Averia said.
People, process, technology
With risks still apparent and future cyberattacks unpredictable, organizations and individuals should prepare and be proactive in protecting their systems and their clients' personal information.
Trend Micro core technology marketing director Myla Pilao said that both the public and private sectors are exerting a lot of effort to discuss and raise cybersecurity awareness.
However, there will be "varying advancement" in terms of applying security measures.
"We have to be cognizant that security is not very cheap," said Pilao. "When you look at security, it has the component of technology, changing the processes, and even employing the right people."
She noted positive developments like the banks' migration to EMV chips, and the formulation of a national cybersecurity framework by the Department of Information and Communications Technology (DICT).
But Pilao said the Philippines "is still prone to a couple of security issues," in the form of old ones – presented by legacy systems and malware on mobile devices – and emerging threats, like ATM fraud and business email compromise, which target specific companies and transactions.
In terms of protecting personal information, Pilao said the security measures have "to be commensurate to what is really happening in the real world." Best practices and lessons learned in cybersecurity should also be shared among stakeholders.
At the end of the day, Pilao said data protection is a shared responsibility between companies and users.
In addition to adhering to NPC's "5 commandments", Averia said organizations "should have a greater degree of diligence to ensure data protection."
Online users, added Averia, likewise have to be aware of their sensitive personal information, and refrain from using it in passwords, online accounts, and challenge questions.
For his part, Liboro said his role as privacy commissioner is to "make compliance by [personal information] controllers and processors easy, and [to make it easier] for citizens to assert their rights."
The NPC said it would be holding an assembly of data protection officers in government on April 5. The assembly of DPOs in the banking, business process outsourcing (BPO), and education sectors would follow soon, said Liboro.
As for the Comelec, Jimenez said the poll body is doing everything it can to be ready for future cyberattacks.
"We are not stopping, and we are continually refining our processes, so that we may not be 100% able to keep up [with other people's ability to break into systems], but we are going to try to keep up." – Rappler.com