The National Privacy Commission (NPC) on Wednesday, January 12 said it has issued orders to the Comelec, Manila Bulletin, and Manila Bulletin tech editor and IT head Art Samaniego Jr. to appear at an online “clarificatory meeting” on January 25 regarding the alleged hack of the Comelec servers.
Manila Bulletin reported on Monday, January 10, that the Comelec servers had allegedly been breached on Saturday, January 8 by an unnamed hacker group, with the hackers supposedly pilfering 60 gigabytes of sensitive data including usernames and personal identification numbers (PINs) for vote-counting machines, and lists of overseas absentee voters, as well as the locations of voting precincts with details of boards of canvassers.
Comelec spokesperson James Jimenez questioned the report hours after the article’s publication, saying that it offers “scant substantiation” for its assertions. He also questioned a part of the report that alleges that usernames and PINs were stolen, saying that “such information still does not exist in Comelec systems because the configuration files – which includes usernames and PINs – have not yet been completed.”
In an interview with SMNI, Manila Bulletin tech editor Art Samaniego stood by the story and said the information came from white hat hackers who just wanted to expose the vulnerabilities of the Comelec servers.
“For us, this happened. We verified it. The screenshots are complete,” he said in Filipino. “That’s why we tried to verify it with the Comelec as to what happened. But we were left hanging.”
“White hackers have a warning. If Comelec and Smartmatic do not admit to this, they will release the data,” he added.
In the same interview, Samaniego said that “personally, ayaw ko sana ilabas ‘yung story kasi makaka-apekto ito sa kredibilidad ng Comelec (I didn’t want to release the story because it would affect the credibility of the Comelec).” But the article came out upon the decision of the Manila Bulletin editorial board, because Samaniego says, “kasi responsibility namin na ipaalam sa mga tao kung ano ang nangyayari (because it’s our responsibility to let the people know what was happening).”
Comelec chairman Sheriff Abas, in an interview with CNN on January 11, reiterated Comelec’s line that the PINs and passwords couldn’t have been stolen because they weren’t in the system yet. After seeing the Bulletin report, Abas said, “I immediately called the director of our Information Technology Department to check kung may breach (to check if there was a breach.)”
“After an hour, bumalik siya sa akin, and sinabi niya sa akin, medyo negative, mukhang fake news ang balita, kasi wala pa tayong final data para i-configure, kasi January 15 pa kami mag-configure ng data na ipasok sa system ng VCM. Sa ngayon, Ms. Pia (Hontiveros), sure ako na walang hacking na nangyari.”
(After an hour, they came back to me, and told me, it seems negative, and it looks like it’s fake news because we have no final data to configure as we will be configuring the data we’re putting into the VCM system on January 15.)
The Comelec is expected to release a full report within the week.
Comelec commissioner Rowena Guanzon also called the report fake news in a January 12 tweet. “FAKE NEWS : @COMELEC server was hacked, not true. Manila Bulletin editor must verify,” Guanzon tweeted.
The NPC said, “The COMELEC must address the serious allegations made in the Manila Bulletin news report and determine whether personal data were indeed compromised, particularly personal information, sensitive personal information, or data affecting the same, which were processed in connection with the upcoming 2022 national and local elections.”
The NPC also directed COMELEC to investigate and submit the results thereof no later than January 21, 2022. – Rappler.com