Hackers release info on Philippine voters online

Janvic Mateo (The Philippine Star) - April 21, 2016 - 10:00am

MANILA, Philippines - Personal details of voters have been publicly released online, raising alarm among netizens yesterday over the implications of the database hack that the Commission on Elections (Comelec) earlier downplayed.

An Internet security firm has described the March 27 hacking and defacement of the poll body’s website as potentially the world’s biggest government-related data breach, but officials said they have yet to verify if the released information had come from the Comelec database.

A user-friendly website, http://wehaveyourdata.com, allows Internet users to search for the personal information of registered Filipino voters.

Among the information released were full names, birth dates, addresses, registration details and voter identification numbers.

Other voter details posted include the persons’ height and weight, passport details, and – in some cases – even biometric information such as fingerprint info and topography.

Unlike the Comelec website that enables voters to find their precincts by entering their full name and birthday, the site allows users to search for personal information of anyone with just the first name.

In such cases, users will find a list of names containing the one that they searched for, accompanied by birth dates and an option to see the full information.

“As you know (or don’t know), recently LulzSec Pilipinas have hacked comelec.ph. They have dumped the database of about 70 million of Philippines voters and have published all the data at archive.org,” said the owners of the page.

“The database contains a lot of sensitive information, including fingerprint data and passport information. So, we thought that it would be fun to make a search engine over that data,” it added.

While the data have been publicly available since the hack on March 27, owners of the site noted that they have made it available for everyone with Internet access.

“It’s one thing to hear news about a huge data leak and another to see your data in a public website. Maybe, at least now, government will start thinking about security of citizens’ personal data,” they said.

Comelec spokesman James Jimenez earlier downplayed the database hack, saying these were public information anyway.

But a security software company already warned of the implications of the database leak.

Security software company Trend Micro said cybercriminals can use the information gathered from the data breach to perform acts of extortion.

It noted that in previous instances, stolen data were used to access bank accounts and gather further information about specific persons.

The security firm alleged that the data leaked following the hacking of the Comelec website included sensitive personal identifiable information that puts every registered voter susceptible to fraud.

“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone,” said the security firm.

“Interestingly, we also found a whopping 15.8 million record of fingerprints and list of people running for office since the 2010 elections,” it added.

Who was negligent?

In an ambush interview yesterday, Comelec Commissioner Rowena Guanzon said those responsible for the hacked website of the poll body may be held accountable. 

“I don’t know if heads should roll but I think that we have called the director of the ITD (information and technology department) to explain why this happened and what do they intend to do to make our websites more secure,” she said. “If there is gross neglect, that is a ground under the civil service rule.”

Guanzon added that the Comelec should learn from its mistakes to prevent the incident from happening again. 

Jimenez said they are still verifying the accuracy of the data that the hackers claimed to have copied.  

Webhosting service

Yesterday, the Department of Science and Technology-Information and Communications Technology Office (DOST-ICTO) confirmed that the Comelec will be migrating to their webhosting services provided under their flagship Integrated Government Philippines (iGovPhil) project.

But engineer Denis Villorente, DOST-ICTO deputy director general for e-government and concurrent director of the DOST’s Advanced Science and Technology Institute (ASTI), said the migration has yet to be done.

The DOST-ICTO said the Comelec website was webhosted by a private company.

DOST-ASTI has been particularly tasked to implement Administrative Order 39 issued by Malacañang mandating government agencies to migrate to the Government Web Hosting Service (GWHS) and set the Unified Web Content Policy (UWCP) that will give all government websites a common look and feel.

Government websites hosted under the GWHS have not had any successful defacements.

Warning vs Comelec, Smartmatic

In a related development, uniformed masked men warned Comelec and Smartmatic officials of dire consequences if they will allow the rigging of the May 9 polls.

“We declare a state of war against those who are out to trample upon the people’s right to vote through the sacred ballot. We are ready to kill and be killed for the Filipino people,” one of around 15 men holding assault rifles and the Philippine flag said in a video released yesterday on Facebook.

The group cited in particular Comelec Chairman Andres Bautista and the poll body’s commissioners, as well as Smartmatic officials.

Sought for comment, Col. Noel Detoyato, public affairs office chief of the Armed Forces of the Philippines, said they will have to determine the authenticity of the video because the armed men may just be using the military uniform to hide their real identities.

Election watchdog Kontra Daya yesterday said the breach on the Comelec’s data system has serious implications not just on the security and privacy of registered voters, but also on the integrity of the elections.

“When we register as voters, personal information we hold private become part of the Comelec data system. We voluntarily submit these information with an implicit assurance from Comelec that these will be kept private and not be published publicly on the Internet,” Rick Bahague, Kontra Daya convenor, said.

Bahague said another grave implication of the Comelec data leak is that the exposed voter information can be used as an added tool to commit electoral fraud. – With Sheila Crisostomo, Rhodina Villanueva, Jaime Laude, Rainier Allan Ronda

  • Latest
  • Trending
Are you sure you want to log out?

Philstar.com is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

or sign in with