Part 2: Comelec leak – what can go wrong?

READ: PART 1: Comelec leak – what I discovered

The Comelec says that the information contained in the leaked database is public knowledge anyway. It is indeed public, but users of the website can search practically only their own records, or, at most, people they already know.

What the breach allows is a broader search and processing of data of information of all voters – and in large batches – not just one at a time. It also makes possible inferring relationships between different records.

For example, neighbor relationships can be derived from those assigned to the same precinct. Sibling relationships can be assigned high probabilities when people have the same family name and maiden name. Finally, it allows easier matching with external sources of data – whether done manually or automatically.

Anyone knowing your full name, date of birth, and address can start spoofing your identity in opening new email accounts (ex. Google Mail) and social media accounts like Facebook, Twitter, or Instagram.

Spoofing becomes even more deceptive if the account can show real friends or contacts (whether friends or neighbors). The leaked data does not contain relationship info, other than perhaps people with the same last names assigned to the same precinct.

Once richer relationship information can be deduced through email replies or acceptance of friend requests, things can spiral out of control. (READ: Is Comelec liable for website data leak?)

Depending on the richness of data collected post-leak, criminal elements may be able to guess passwords or, if not possible, retrieve lost passwords and PINs by hurdling the usual security questions such as “what is your mother’s maiden name”, “what is your birthday”, “or what is your city of birth” and also complex ones like names of pets.

You may accept a friend request, especially after seeing that the person is really your friend and you also see common friends shown with the request. You say hi to your new friend, calling him or her by nickname (another crucial piece of data). After accepting the request, you may then be sharing sensitive information only visible to your friends.

You may also blindly accept your new friend’s request to join private Facebook groups you’re also part of, thinking that it is safe to do so.

The fake friend posts a message saying that he or she is trying to reconstruct his or her address book because of a lost phone, so you offer to give your mobile number and email.

For your real friend whose identity had just been spoofed, things can get as messy as the impostor may already be doing things such as soliciting cash and making commitments.

Advancing from spoofing to full-blown identity theft, that is, to open bank accounts, apply for a postpaid mobile plan or credit card account, and apply for a bank, Social Security System (SSS) or HDMF loans, other critical data not present in the data leak will be needed.

Among these are government IDs like SSS, driver’s license, passport, TIN or Tax Identification Number. There are conceivably many ways of deriving these types of information through other sources, and I won’t cover these in this report.

It is critical that the Information Security of the primary sources of these pieces – SSS, Government Service Insurance System or GSIS, Bureau of Internal Revenue (BIR), Land Transportation Office, and the Department of Foreign Affairs, among others – be tightened further.

The Comelec data are just one piece of a larger puzzle. Too bad for top taxpayers in the Philippines. The BIR publishes this list on their website annually. Information on the list is enough to match information from the leaked data.

What now?

A lot has already been written about what to do to protect ourselves and take precautionary measures. There will never be enough tips, and media must continuously inform people on what to do to protect themselves. Smaller initiatives such as this will go a long way as well.

For banks, telcos and government entities – which are custodians of the other pieces of the identity information puzzle – information security and customer or citizen protection must be given more serious attention.

Invite a diverse set of IT professionals in technology to review sessions (not just people with certifications, else you create the perception that you are excluding people on purpose).

Besides, the hackers may not necessarily have the certifications you require from your reviewers. – Rappler.com