Privacy body probes new Comelec data breach

MANILA, Philippines - The National Privacy Commission (NPC) yesterday took the Commission on Elections (Comelec) to task and ordered it to take serious measures to address its data vulnerabilities after a desktop computer containing voters’ data was physically stolen in Wao, Lanao del Sur last Jan. 11. 

It was the poll body’s second large-scale data breach in less than a year, Privacy Commission head Raymund Liboro disclosed yesterday.

Fearing more data leakages amid ongoing voters’ registration nationwide, Liboro said the NPC would probe the Comelec’s data system further.

In March last year, young information technology graduates reportedly hacked into the Comelec’s official website and defaced it, leading to the leaking of confidential voters’ information on the internet a little later.

“Anybody would like to think that after the massive breach that occurred (last year), the overall security posture of the poll body in processing the national database has been heightened,” Liboro told The STAR.

Comelec Chairman Andres Bautista said the poll body is now making efforts to strengthen its database, in response to the NPC’s stern orders.

Bautista said one measure is the appointment of Comelec executive Director Jose Tolentino as the poll body’s data protection officer.

Last year, after the first data breach, the NPC recommended to the Department of Justice the prosecution of Bautista for gross neglect of duty. This year’s incident is not much different, Liboro said.

The stolen Comelec computer in January contained data from the Voter Registration System (VRS) and voter search applications, the National List of Registered Voters (NLRV) and biometric records of registered voters in Wao, Lanao del Sur.

“This is already Comelec’s second large-scale data breach in a span of less than a year – a case of a database being breached twice under different circumstances,” Liboro pointed out. “This time, it involves actual large-scale biometrics data of voters in a municipality. The Commission is very concerned, especially since there’s ongoing voter registration nationwide. We will delve deeper into the problem to possibly recommend other measures for Comelec to implement to protect voter data nationwide.”

Liboro said aside from the 55 million voters’ database last year, there were almost 58,000 Wao municipality voters’ data in the computer that was stolen last month.

“This breach illustrates that there are many ways to lose personal data,” Liboro stressed. “That is why data protection is not only an IT security issue involving firewalls. It’s a governance matter that covers organizational and physical measures to protect data. In this case, failure to secure the very computer containing personal data can be just as disastrous. If the Comelec won’t address the problem systemically, this will happen again and again.”

While the Comelec claims the data in the database is encrypted, it noted “if the robber will be able to gain access to the VRS, and to decrypt the VRS and the NLRV data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended.”