Senate probe on ‘Comeleak’ set

MANILA, Philippines - The Senate committee on electoral reforms is set to conduct an inquiry into the hacking of the Commission on Elections (Comelec) database, an incident considered the worst recorded breach on a government-held personal database in the world.

In her Senate Resolution 260, electoral reforms committee chair Sen. Leila de Lima said there is a need to find the extent of damage the hacking caused to the voters’ database and the integrity of ordinary people’s personal information.

“There is no denying that the Comelec data breach is unacceptable. Those responsible should be fully prosecuted and punished, whether they are foreign or domestic actors,” De Lima said, stressing that the breach is everyone’s problem.

“Online lawlessness should be nipped at its bud,” she added.

The Comelec database was hacked last March, exposing sensitive information of 55 million voters, and a copy of such information is feared to be in the hands of criminal syndicates. 

Among the sensitive information the hackers accessed were verified name, date of birth, gender, civil status, post of registration, passport information, taxpayer identification number, e-mail address, mailing address, spouse’s name, names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, profession, sector, height and weight, identifying marks, biometrics description and voting history.

Although the Comelec maintained that no confidential information was unduly compromised, the hacking incident had prompted the National Privacy Commission (NPC) to investigate the alleged data breach and find out who the culprits were.

Comelec Chairman Andres Bautista welcomed De Lima’s resolution as he also seeks a review of the findings of the NPC, which recommended his criminal prosecution over the breach.

He added that a congressional inquiry may even help him and the Comelec clear their names, insisting that the NPC order penalizes the “hacked and not the hacker.”

The NPC decision, he maintained, is wrong and unfair as it “mis-appreciated facts, legal points and material contexts.” 

But the commission, in its Dec. 28 decision, said Bautista failed to ensure the privacy of the voters’ database last March and recommended criminal prosecution, taking note of Bautista’s alleged “lack of appreciation” of the principle that data protection is more than just the implementation of security measures.

For them, it amounts to a violation of Republic Act 10173 or the 2012 Data Privacy Act. – With Sheila Crisostomo