While the Commission on Elections (Comelec) has downplayed the impact of the recent hacking of its website and database, an Internet security firm said the leak may turn out as the biggest government-related data breach in history.
Taiwanese tech firm TrendMicro, which operates a regional security hub in the Philippines, said the Comelec breach may surpass the Office of Personnel Management (OPM) hack last 2015 that leaked sensitive personal identifiable information (PII), including fingerprints and social security numbers (SSN) of 20 million US citizens.
In a rare report issued on Thursday, April 7, TrendMicro said its investigations showed a huge number of sensitive PII — including passport information and fingerprint data — were included in the data dump.
“Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of Comelec,” it warned.
Following the defacement of the Comelec website on March 27 by a hacker group, a second hacker group posted the poll body’s entire database online, it said, noting that three more mirror links were later added within where the database could be downloaded.
“With the upcoming Philippine national elections on May 9, the incident puts further pressure on the Comelec and their Automated Voting System (AVS). The first hacker group gave a stern warning for Comelec to implement the security features of the vote counting machines. However, the actions done by the second hacker group have exposed Comelec’s weaknesses in terms of network and data security,” the e-security firm observed.
TrendMicro also noted that there discrepancies in the pronouncements of Comelec regarding the information stored in the database. “[O]ur research showed that massive records of PII, including fingerprints data were leaked. Included in the data Comelec deemed public was a list of Comelec officials that have admin accounts,” it said.
Based on its investigation, the tech firm said the data dumps included 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates.
“What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections,” it said.
TrendMicro stressed that regardless whether the hacking could affect the elections, there is still the issue of all voter information that was leaked.
“Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more,” it said.
TrendMicro said the incident has highlighted the need for stronger security mindset and data classification, given the possible impact of the breach to voters.
“This also brings to the fore the importance of having data protection officers that would be responsible for the legal requirements as well as securing all types of crown jewels or highly sensitive data of organizations,” it said.