Search Desired Topics Here

Custom Search

Wednesday, January 11, 2017

COMELEC to appeal NPC ruling on hacking of poll body's website

MANILA (12 Jan 2017) - The Commission on Elections (COMELEC) is set to appeal the decision of the National Privacy Commission (NPC) in connection with the hacking of the former's website in March 2016.

According to COMELEC Chairman Juan Andres Bautista the commission was set to file the Motion for Reconsideration (MR) thru the Solicitor General on Friday, January 13, 2017.

With this, he noted that the COMELEC would designate a data protection officer as required under the Data Privacy Act or Republic Act 10173, as pointed out by the NPC in its ruling.

Jose M. Tolentino, Jr.
"Designated acting data protection officer in the person of Executive Director Jose M. Tolentino, Jr.  We have until January 27 para mag-appoint ng permanent data protection officer," said Bautista in an interview after attending a Mass at the Manila Cathedral with some 200 poll body employees who expressed their support to his leadership.

He reiterated that the recommendations of the NPC were going to be implemented.

"Mga recommendation ng NPC para palakasin ang website ng COMELEC are all well taken.  Ipapatupad naming talaga lahat yan," the poll body chief added.

He also expressed disappointment over the recommendation to file a case against him.

"Ang akin lang kinasasama ng loob ay bakit may recommendation pa na criminal fact-finding.  Pero andyan na yan.  Sa buhay may kanya-kanyang hamon.  May kanya kanyang krus na pinapasan.  So ang hamon sa atin ay pasanin ang krus na ito ng may dangal at pananampalataya," Bautista said.

Likewise, he announced that they would conduct a workshop on January 18-20 to discuss COMELEC rules in connection with the NPC's implementing rules.

"Itong workshop ng COMELEC is to discuss our own rules in respect of NPC's implementing rules, nag-imbita din kami ng mga resource persons from NPC para maliwanag kung ano ang gusto nilang ipatupad dito sa batas," Bautista added.

At the same time, he admitted that he was surprised with the support given by the employees.

In its 35-page decision, the NPC said COMELEC has violated Sections 11, 20, and 21 of the Data Privacy Act when it failed to protect the privacy of the voters' data in its role as "personal information controller."

The ruling also recommended the criminal prosecution of Bautista due to his "willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence."

Hackers group, Anonymous Philippines, hacked the website of COMELEC and defaced its contents last March 27, 2016.

Another group, LulzSec Pilipinas, leaked online millions of voter registration data, including names, addresses, and birthdays, among others.  [Philippine News Agency]

Saturday, January 7, 2017

Malacanang tells COMELEC to hold itself accountable for 'Comeleak'

MANILA (7 Jan 2017) - Malacanang on Friday urged the Commission on Elections (COMELEC) to accept accountability for the hack on its database last year that exposed millions of voters to identity theft and fraud.

Presidential Communications Secretary Martin Andanar also called on the COMELEC to release its investigation report on the hack, a day after the National Privacy Commission declared the election watchdog's chair, Andres Bautista, liable for "gross negligence" that left the election body's database highly vulnerable to cyber-attack.

The finding opened Baustista to criminal prosecution over the security breach that became known as "Comeleck."

Voter database hacked

Paul Biteng Zulueta, alleged COMELEC hacker
In that attack, hackers extracted contents from the COMELEC's website, including information from voter database, from March 20 to 27, 2016.

The hackers then uploaded the voter information - names, addresses, dates of birth, passport details - to file-sharing platforms.

The COMELEC became aware of the security breach when the files went viral online.

Compromised were the files of 77 million voters, in what has been described as one of the worst breaches of a government database.

The privacy commission, however, said the leak did not affect the integrity of the May 9, 2016 elections.

Andanar said the security breach exposed those voters "to risks such as identity theft and fraud," a matter that "simply cannot be swept under the rug."

"[The] Comelec must not only protect the vote, it must protect the voters as well," Andanar said in a statement.

He urged the COMELEC to accept responsibility for the breach and release the report on its investigation of the cyber-attack to maintain the election body's credibility, and uphold the integrity of the electoral process.

Efforts must be made to thwart attempts to interfere with the electoral process, he said.

"Let us put an end to election-related maneuverings and ensure that any attempt to subvert the people's will, no matter how sophisticated, will not succeed," he added.

Formed last year, the privacy commission investigated the hack on the COMELEC and found that the election watchdog did not have basic data principles.

It said the COMELEC had no policy covering data privacy and did not even have a data protection officer.

The void left the COMELEC highly vulnerable to cyber-attack, which the privacy commission blamed on Bautista.

It concluded that under the Data Privacy Act, Bautista committed gross negligence and recommended him for prosecution.

On Friday, Bautista said he was open to a "congressional investigation in aid of legislation."

He also defended himself against the findings of the privacy commission.

"We believe that we did what we had to do given the circumstances.  We feel the [privacy commission] overstepped its boundaries," he said.


The election watchdog Kontra Daya welcomed the privacy commission's finding against Bautista, saying it could serve as basis for the COMELEC chief's impeachment.

"[T]his could be a ground for Bautista's impeachment, especially considering that the leak was initially reported by TrendMicro on April 6 and the COMELEC at that time failed to disclose the extent of the breach," the group said in a statement.  [Julie M. Aurelio, Leila B. Salaverria] 

Thursday, January 5, 2017

Criminal charges recommended vs COMELEC chairman Bautista

MANILA (5 Jan 2017) - The National Privacy Commission (NPC) on Thursday recommended the filing of criminal charges against COMELEC chairman Andres Bautista and the poll body for the theft of millions of voters' personal records in 2016.

Since dubbed "Comeleak," the cybersecurity breach is one of the biggest data heists in history that saw the theft of as many as 55 million personal records from the COMELEC website, according to early estimates.

80-M records hit but no effect on election

However, the exhaustive NPC investigation revealed that the number was closer to 80-million:
  • 75,302,683 records comprising the Precinct Finder web application voter database
  • 1,376,067 records comprising the Post Finder web application voter database
  • 139,301 records comprising the iRehistro registration database
  • 896,992 personal data records comprising the firearms ban database
  • 20,485 records of firearm serial numbers, also from the firearms ban database
  • 1,267 records comprising the COMELEC personnel database
NPC commissioner Raymundo Liboro assured the public that the data breach did not affect the results of the national election.  However, he underscored the gravity of the heist and the long-held need for stricter data privacy measures in the country.

"This is the largest security breach ever of a government institution anywhere in the world," Liboro lamented.

Violation of 2013 Data Privacy Act

In its 35-page decision, the NPC found the COMELEC itself to have been in violation of Sections 11, 20, and 21 of Republic Act No. 10173 or the Data Privacy Act of 2012.

COMELEC chairman Andres Bautista was also found to have violated the same sections, as well as Section 22 in relation to Section 26 of the same Act.

"We are not saying he is guilty, but we have substantial evidence, hence the recommendation to file charges (against Bautista).  The evidence was sufficient to recommend prosecution," said NPC deputy commissioner Atty. Ivy Patdu.

The NPC criticized Bautista for his "lack of appreciation" for the need for stringent cyber-security measures.

"Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of COMELEC's privacy and security policies and practices," the decision read.

'COMELEC was negligent'

Patdu explained that the COMELEC had no security measures in place, so it was only a matter of time before any data on the agency's site was stolen.

She also said that the agency should have implemented stringent end-to-end security beginning from the point of data collection, and not just on the website.

The responsibility for this falls squarely on the COMELEC and its leadership, according to Patdu.

"It was a failure of duty required by law.  It's tantamount to negligence," she said.

Irreversible damage

Patdu also lamented the irreversible damage caused by the hack.

"Our data is out there.  The danger is there, even if it's not immediately apparent right now.  It can be felt years from now.  (That's why) we should urge government to take data protection seriously," Patdu said, warning that the data could be used for malicious purpose at any time.

The decision caps a months-long investigation into the crime.

'Misappreciation' of facts

Reached for his comments, Bautista said the NPC findings were based on "misappreciation" of facts.

"With all due respect to the NPC membership, we believe that the NPC decision was based on misappreciation of several facts, legal points, and material contexts," Bautista said.

He also defended himself after the NPC "conveniently points to the Head of Agency as solely responsible for the data breach."

Bautista said the COMELEC en banc, "currently managed by seven lawyers," including himself, "(relies) on our IT Department for expert advice on website/data security and privacy and IT-related matters."

History of COMELEC heist

On March 27, 2016, a group of hackers gained access to the COMELEC website and defaced the agency's page.  A second group took advantage of the same vulnerability and managed to steal the agency's voter database, which happened to be accessible from the site.

The database was made public, exposing the personal information of millions of Filipino voters to identify thieves and other hackers.

Fear quickly spread that the information could be used to rig the looming presidential elections.  The COMELEC initially downplayed the gravity of the breach, but the Bangko Sentral ng Pilipinas issued a memorandum warning all banks to be wary of attempts at identity theft.

Within a month, the National Bureau of Investigation's Cybercrime Division arrested two suspected hackers who were alleged directly involved in the breach.

In August, Bautista said that the poll body had committed to working closely with the NPC and the DOST to ensure the future security of COMELEC data.  [TJ Dimacali, GMA News]

Search This Blog