MANILA, Philippines – A “Pandora’s box” has been opened.

Nearly a month after the website of the Commission on Elections (Comelec) was hacked, a website surfaced on Thursday, April 21, posting the contents of the poll body’s leaked database containing over 55 million voter registration records. (READ: Website leaks Philippine voter data)

Searchable are voters’ now-decrypted names and birthdates, as well as personal addresses, citizenship details, passport numbers, fingerprint data, and other miscellaneous information. This can be considered the biggest leak of personal data in Philippine history.

With these kinds of personal identifiable information on the Internet, data privacy and IT experts admit there is “nothing much” Filipino registered voters can do to protect themselves from possible repercussions. (READ: Experts fear identity theft, scams due to Comelec leak)

“That is the danger when you put up data on the Internet. It [becomes] permanent,” said Rene Jaspe, founder and chief security officer of local information security consulting company Sinag Solutions. Jaspe had previously worked for a defense contractor in the US for over a decade.

“It may not affect you now, but it might harm you later,” added lawyer and technology law expert JJ Disini, who played a role in lobbying for the passage of Republic Act 8792 or the e-Commerce Act.

Nevertheless, Rappler got some tips from them on how to mitigate the impact of the leak, and looking forward, how to afford better protection. 

1. Monitor your transactions and activities online and offline.

In a Facebook post, local software development company Seer Technologies co-founder Joben Ilagan* said that online users should take care of themselves when interacting on social networking sites. 

“Be careful before accepting new Facebook friend requests,” said Ilagan. He explained that a user spoofing as (or pretending to be) a friend would “get to see your more private posts” if you accept his or her friend request.

“Also, search Facebook regularly for people who may be spoofing you,” Ilagan said.

Jaspe, for his part, advised everybody to be careful with bank and online transactions. “If you have a credit card, watch out for activities [connected with your account].”

If you notice any suspicious transaction, Jaspe recommended that it be reported immediately to your bank and to have your account cancelled.

2. Avail of additional means to secure bank and online transactions.

Jaspe said some banks offer a one-time PIN for certain banking activities. This PIN code is sent to your registered mobile number, and should be entered when you log on to your online account or pay for your purchases.

“You could have that activated if it is offered,” said Jaspe. Ask your bank and other service providers for this and other similar features.

3. If you use personal information as your password, change it immediately.

Time and again, IT experts tell online users to never use personal data as passwords. These could include your age, birthday, or a part of your name. If yours still contain personal information, don’t delay, and change them now.

Ilagan also advised changing security questions into those that won’t require sensitive personal information as answers. (i.e., “What is the name of your favorite pet?”) Otherwise, make the answers to security questions fake (but make sure to remember and take note of them).

4. Be aware of the risks, now that your personal information is out there.

Jaspe said that IT security heads in offices and companies can brief their employees about information security awareness.

“Your employees most probably are voters… [They] have to be aware of the possibilities, now that [their] personal information is out there.”

Individuals can also search for safe and secure online practices on the Internet.

5. Submit complaints to authorities and web companies.

Jaspe said the Department of Justice (DOJ) can act on a request – which the Comelec can file – to take down the said website. 

Many netizens have suggested reporting the website to web security provider CloudFlare, web hosting service GoDaddy, and Google. But Jaspe said that CloudFlare “does not take down a site, as a matter of policy.”

Suggestions to government, Comelec

Disini said that government should have done more to stop this leak from happening. “Voters give these data to the Comelec, to verify their qualifications.” That is why, Disini argued, that as the data controller of these personal information, the Comelec “should be held to the highest standards.”

The experts shared some suggestions for the government going forward:

1. Formulate a cybersecurity framework for the Philippines.

It is a set of cybersecurity policies, standards, and guidelines that the government should follow. In the US, this framework is now in place, said Jaspe.

He added, “I think it should start in Congress to make it permanent, or the President might have to do an executive order” like what US President Obama did in 2013, when he signed EO 13636, which mandates improvements in critical US cybersecurity infrastructure.

2. Strengthen the protection of other agencies’ databases.

Ilagan feared that other government agencies with personal and sensitive data might be the “next targets” of hackers “to complete the puzzle.”

These critical agencies need to protect their databases, said Ilagan. “More so now,” he added.

3. Comelec should strengthen its systems to prevent further attacks.

In the IT security field, Jaspe said that once a certain site is breached, it could be breached again 3 to 4 times in the same year. 

“Hopefully, the right protections [in Comelec systems] are now in place,” he said. – Rappler.com

*Editor’s Note: Seer Technologies is a consultant of Rappler.