The National Privacy Commission (NPC) has ruled that the Commission on Elections (Comelec) did not violate the Data Privacy Act (DPA) after concluding that its servers were not hacked prior to the May 2022 polls.
In a decision resolving the “sua sponte (of one’s own accord)” complaint filed by its Complaints and Investigation Division (CID), the NPC also cleared Smartmatic of any violation of the DPA after determining that the unauthorized access to its system was “caused by employee malfeasance”.
In absolving the Comelec and Smartmatic, the NPC pointed out that “no evidence on record shows that there was a lack of reasonable and appropriate security measures that could have resulted in the breach.”
The decision was penned by NPC deputy commissioner Leandro Angelo Aguirre and concurred by commissioner John Henry Naga. The privacy agency sent the decision to the Comelec last Dec. 27, 2022 and was received by the poll body on Jan. 4.
The NPC, however, found that former Smartmatic employee Ricardo Argana and a certain Winston Steward, and other unknown individuals liable for violating Section 29 of the DPA.
The commission found the individuals committed unauthorized access or intended breach when they broke into Smartmatic’s servers that stored personal or sensitive personal information.
In its decision, the NPC recommended to the Department of Justice that the said individuals be prosecuted for violations of the data privacy law.
In his sworn statement submitted to the CID during the course of the investigation, Argana said that he worked at Smartmatic from August 2021 to January 2022 as a quality assurance tester who had access to the company’s virtual private network.
Argana said that he received a private message from Steward who promised to pay him P50,000 to P300,000 in exchange for giving access to his computer while connected to Smartmatic’s servers.
Argana said that he gave Steward an access to his computer via AnyDesk App, a remote desktop application. Steward, however, reneged on his promise to pay Argana the amount they agreed on.
The NPC’s CID initiated the investigation after the Manila Bulletin published a story on Jan. 10, 2022 titled “Comelec servers hacked; Downloaded data may include information that could affect 2022 elections.”
The news article reported that hackers breached the servers of Comelec, claiming that the downloaded data included list of overseas absentee voters, location of voting precincts with details of board canvassers, configuration list of database, and list of all user accounts of Comelec personnel.
But the NPC noted that the pieces of evidence gathered by the CID proved that the Comelec servers or its systems were not breached, as opposed to the report that falsely claimed that the hacked data included information that could have affected the 2022 elections.
The Comelec had argued that its system was separate and completely different from Smartmatic’s system. It averred that an alleged breach in Smartmatic’s system does not necessarily relate to the personal information stored in Comelec’s database pertaining to the overseas absentee voters list.
As there was no direct link to connect the alleged breach in Smartmatic’s system to Comelec’s servers, the NPC asserted that they were not liable because the requisite of Concealment of Security Breaches involving sensitive personal information were not present.
Meanwhile, if found guilty of Unauthorized Access of Intentional Breach, Argana, Steward, and other individuals will face penalty of imprisonment from one up to three years and a fine of not less that P500,000 to P2 million.