Sorry over leaked data, Comelec tells public to change passwords

MANILA, Philippines — The Commission on Elections (Comelec) apologized on Thursday as a hackers' group claims to have dumped personal data of millions of Filipino voters and made it searchable through a recently launched website.

Lawyer James Jimenez, Comelec spokesperson, said the poll body is doing what it can to resolve the matter "at the soonest possible time."

"I apologize for this continuing attack on your privacy," Jimenez said in a statement.

Jimenez said the National Bureau of Investigation has been tapped to try to take down the website titled "Philippines, we have your data" that caught the attention of netizens on Thursday.

READ MAIN STORY: Filipino voters' data leaked via search engine

"Kausap na po namin ang NBI. Sana mabilis nga nila ma baba ang website," Jimenez said, responding to an inquiring user on Twitter.

The leaked data came from a reported hacking of the Comelec website by Anonymous Philippines. Another hacking group, LulzSec Pilipinas, claimed to have built a search engine over the leaked information, saying it would be "fun."

"The database contains a lot of sensitive information, including fingerprint data and passport information. So, we thought that it would be fun to make a search engine over that data," the group said in a statement on the website.

Risks involved

The poll body, meanwhile, seemed to have admitted its lapses over the hacking incident after weeks of being in denial that the breach could expose million of voters' personal information.

Jimenez used his Twitter account following the launch of the search engine to warn voters what they could do to protect their digital traces.

"Tayong lahat po. Palitan email addresses and passwords; contact credit card company to tell them maaring damay kayo," he said.

Japan-based online security firm TrendMicro released a report on April 6 warning Filipinos that the recent hack attack on the Comelec site left 55 million voters' information at risk.

"Comelec officials claimed that there were no sensitive information stored in the database. However, our research showed that massive records of PII, including fingerprints data were leaked. Included in the data Comelec deemed public was a list of Comelec officials that have admin accounts," the TrendMicro report said.

PII stands for sensitive personally identifiable information such as passport information and fingerprint data.

The firm also warned that cybercriminals can perform acts of extortion or breach connected data to access bank accounts.

Protecting information

Internet advocacy group Democracy.Net.PH released a list of what voters can do to protect online traces possibly exposed by the leak.

The group said users should take immediate steps to strengthen online accounts, such as by enabling the two-step authentication for any online account they may have. They should also change security questions that cannot be gleaned from the leaked database. Privacy levels even for social media accounts should also be increased.

Voters should also call their bank to enable telephone confirmation before allowing any transaction.

"When possible, and through the use of the telephone, make arrangements for your banks and similar institutions to contact you prior to any transaction being allowed to go through, or to have a means of allowing you to authenticate your transaction," the group said.

Passports, licenses and identity cards can also be renewed. "These are documents typically compromised by identity theft attacks," it said.