MANILA, Philippines – Hundreds of thousands of email addresses from the leaked Commission on Elections (Comelec) website data have been added to a list of leaked accounts, according to a free service site.

The website Have I Been Pwned? (HIBP), developed and maintained by Troy Hunt, informs people if their email addresses and personal information have been leaked in a data breach. 

The site recently added 228,605 email addresses from the Comelec database, and Hunt has independently attempted to verify and understand the contents of the breach.

According to a blog post by Hunt on Thursday, April 14, he wanted to verify the breach because of a statement by Comelec officials, who said there were “no sensitive information there.”

In adding the Comelec data to the searchable index, however, Hunt said he had to input new data classes to properly index what was leaked, as he’d never seen information of that sort in a breach previously.

Hunt added the following new data classes: marital statuses, biometric data, physical attributes, and the names of family members.

The addition of the email addresses from the data breach to HIBP follows a Trend Micro report that asserts Filipino voters affected may now be “susceptible to fraud and other risks.”

Verifying the breach

Hunt emailed a number of subscribers to HIBP to help him verify data, which was found on two tables in the data breach – the first being a table called irdoctable2014.

That table had a number of fields, with the column names indicating that some sensitive, personally identifiable information may be on display. While some of the data were encrypted – such as people’s names and birthdates – many email addresses still contained both the first and last name of a person.

The personal information he was able to confirm were leaked included height and weight data, as well as the names of people closely related to a given registered voter.

Hunt added, “Along with email address (which in this case included the person’s full name), is their ‘vital statistics and biometrics’ as well as their parents’ names which all appear in the clear. There’s also a physical address, gender, marital status, where they were born, where they’re now living, their profession and their phone number. This is very personal information!”

Hunt was also able to confirm passport fragments of an individual listed in the table called “doctablepost.”

“With 5 independent confirmations of the data,” he wrote, “there’s no doubt in my mind that this is the real deal.”

Hunt added that biometric data relating to fingerprints may have also been leaked as a result of the data breach.

Comparing with Rappler’s findings, the information Hunt explains in his blog post appears to correspond to the iRehistro database, rather than actual voter registration data. The iRehistro portal facilitated the scheduling of appointments for voter registration from 2014 to 2015.

While this may be the case, the worrying thing is it is “an absolute mess of huge volumes of data, tables with suffixes which appear to indicate copies or duplication, draft or temporary data and inconsistent (and frequently insufficient) cryptographic storage of sensitive data,” according to Hunt.

Hunt closed his post by saying that “this is a breach we should be paying attention to. There’s the potential to do serious damage to those involved and we need to remember that the same classes of data are held by all our governments in our respective corners of the world.” – Rappler.com