A few weeks ago, on the evening of March 27th the website of the Philippine Commission on Elections (COMELEC) was hacked. Who cares?
A few days ago, Trend Micro reported a data protection mishap that leaves 55 million Filipino voters at risk. Who cares?
This was followed by another group of hackers posting download links to the databases they have at-hand. Nobody seems to care. “Comelec spokesman James Jimenez said no sensitive information was compromised during the hacking.” Non-techies may believe him.
Then, just this week, another set of hackers created a search engine website exposing hacked data (from Full Names, Mailing Address to Passport Numbers and even biometrics information) of Filipino voters (just around 55M of them). Now, everyone’s listening. Everyone is asking questions nobody can answer, yet.
The exposure of personal information as detailed as those contained in COMELEC’s databases is like a nightmare times 55 million to individuals who value their online (and offline) privacy. Imagine people with criminal minds holding your personal information: identity theft will now be “chicken” to them. They can easily reproduce identification cards and documents bearing your personal information, without your knowledge and permission. Not good.
Who’s to blame in one of the biggest personal identity leakages in the planet? For me, it is no other than the COMELEC.
Why the COMELEC?
- Being law-abiding and responsible citizens of this country, we entrusted our personal information to the COMELEC when we registered ourselves as voters.
- By registering ourselves as voters, we gave valuable information to the COMELEC. This includes, among many others, our biometrics data. I remember a few years ago when my biometrics data was captured in the local COMELEC office, I asked the OIC for the purpose of collecting such information. I was told that since the COMELEC is shifting to an automated type of election system, the biometrics data shall be used to ease up the voting process — short of saying that the voting machines will require our biometrics data as an added security feature. Then came the 2010 elections, and to everybody’s surprise, the vote counting machines do not require for anyone’s biometric data at all. Hmmmm. Then until late last year, the COMELEC, again, required registered voters to have their biometrics data taken (or verified). They claimed that some of the biometrics data were corrupted. Hmmm. I was wondering, what grade did the COMELEC’s Systems Administrator got in his/her DBA class? Was he/she absent when the topics of Data Backup, Redundancy and Management were discussed?
- Did the COMELEC had a documented procedure or something to that extent on how they handle, secure and protect the data of voters?
Now that OUR private information (I am referring to registered voters like myself) is floating on the interwebs (for around three years now, according to the hacker group who stole the databases from the COMELEC), what safeguards are being made by the Philippine government to ensure that a recurrence of the same will not happen anytime in the near (or far) future to any branch of the government?
Will it be possible to conduct some sort of an IT Audit to branches of the government like the Bureau of Internal Revenue, Department of Transportation & Communication (LTO, ATO, etc.), SSS, PagIBIG Fund to name a few to prevent this kind of incident? The second question will be: who is the most appropriate to conduct such IT Audit?
Right now, there are more questions than answers.
Personally, what I am afraid of is a scenario of having a No Election or Failure of Election next month, owing to the fact that leaked personal information may be used to disenfranchise voters or commit massive cheating at the precinct level. Until then, I will be on “wait and see” mode.
But I liked the battle cry in today’s Technical Forum on the COMELEC Data Leak: “See you in court, COMELEC.“