The Center for International Law Philippines (Centerlaw), a human rights legal group, delivered on Monday, April 25, a demand letter to the Commission on Elections (Comelec) over its possible failure to reasonably protect the sensitive private data of registered voters that resulted in the hacking and leaking incident dubbed #Comeleak.
In his individual capacity as a private citizen, Jose Ramon Albert, senior research fellow of the Philippine Institute for Development Studies, formally demanded that the Comelec notify the National Privacy Commission the nature of the breach, the sensitive personal information involved, and the measures taken by poll agency to address the breach and who are the officials designated by the Comelec as accountable for its compliance with RA 10173 or the Data Privacy Act of 2012.
Albert, who is the former secretary general of the National Statistical Coordination Board and member of the Privacy Advisory Group of the United Nations Global Pulse, was assisted by lawyer Romel Bagares of Centerlaw.
The demand letter reminded members of the Comelec that, “Under Section 30 of the Data Privacy Act, it is a crime to conceal security breaches involving sensitive personal information, with a penalty of imprisonment of one year and six months to five years and a fine of not less than P500,000.00 but not more than P1,000,000.00.”
The Comelec has been given 24 hours to respond, after which a formal complaint will be filed against the poll body by Albert via Centerlaw before the National Privacy Commission.
Since around March 28, database dumps of the sensitive personal data of around 55 million registered Philippine voters was made freely available for download on the Internet by hacking group LulzSec Pilipinas.
On April 21, individuals who had obtained the leaked data launched a website hosted on Russian servers. In it, any individual could search for a Filipino’s name and retrieve in whole or part the first name, last name, mother’s maiden name, date of birth, street address, fingerprint biometric topological data and for OFWs, passport numbers and e-mail addresses. These information are usually needed to perform identity theft or compromise the physical safety of ordinary citizens.
Since the beginning of the leak, the Comelec has consistently denied verification of the authenticity of the leaked files, but individual Filipino netizens have since confirmed that much of the data revealed via the Russian website was indeed legitimate.
As security researcher Troy Hunt, who had examined the data firsthand, related: “Part of the problem is that Comelec are still not acknowledging the problem… All they need to do is to compare the data in the breach with that in the source system. That’s a three hour job, not a three week one.”
The full letter of demand may be viewed via this link: Centerlaw #Comeleak Demand Letter