MANILA, Philippines – There is no way voters’ data hacked from the official website of the Commission on Elections (Comelec) can be used to rig the coming May 9 elections, poll officials said yesterday.
“That’s one of the things we’ve always been sure of because the elections will not be run on the same servers (as the website). We will not even be using that (defaced) website,” Comelec spokesman James Jimenez said.
Jimenez said the Comelec would print lists of voters with corresponding photographs to ensure quick validation of voters on Election Day.
“We will have a personal verification system on Election Day. The Comelec will not come out with polluted lists of voters coming from outside sources,” he added.
Last March 27, Comelec’s website www.comelec.gov.ph was defaced twice and voters’ personal details were later found uploaded on various sites, including www.wehaveyourdata.com.
The website had allowed Internet users to search voters’ profiles like full name, birth dates and addresses.
In some cases, passport details and even biometrics data were reportedly exposed.
According to Jimenez, the Comelec’s Information Technology Department (ITD) is still verifying the accuracy of the leaked data.
“We never denied that the breach happened. What we are saying is we hadn’t yet at that time verified 100 percent whether the breach was completely accurate,” he clarified.
Jimenez said the Comelec database is undergoing forensic examination to determine how the hackers penetrated the system.
“We want to make sure our future steps are better suited to protect us against that kind of attack. The Comelec does not want it to happen again. It’s not true our website was not protected,” he stressed.
“No one in this day and age would put up a website without some sort of protection, but we have to remember that the hacking attempts were continuous attempts over time,” he pointed out.
The hacking story first got public attention after the emergence of a user-friendly website that allowed Internet users to search for their personal information.
Owners of the website, http://wehaveyourdata.com, said they used the database dump of the LulzSec Pilipinas containing information on 70 million voters.
“The database contains a lot of sensitive information, including fingerprint data and passport information. So, we thought that it would be fun to make a search engine over that data,” they said.
Meralco, through spokesman Joe Zaldarriaga, also clarified the alleged hacker Paul Biteng is not a son of an employee. “Based on our records, we do not have an employee surnamed Biteng,” he said.
‘Genie out of the bottle’
But for cyber security experts, the data leaked can never be contained and will forever be in the public domain.
“Once this information is out, it’s impossible to recover. It’s not like 55 million Filipinos can change their fingerprints,” Bryce Boland, Asia-Pacific chief technical officer of cyber security firm Fire Eye, told Bloomberg.
“I think it’s very serious. We’re talking about the personal details of about 55 million Filipinos. And it’s not just names and address – their email address, their passport information, their height, their weight, their parents’ names, even their fingerprint details. This is very significant,” he added.
Boland noted the leak, now called Comeleak, is one of the largest data breaches of government information in the world.
“The problem here is that it creates a lot of opportunities for malicious attacks, and we can see (possible) fraud attacks,” he said. “It’s just a matter of time before some criminal groups work out that they can use these information to get access to that.”
Web security expert Troy Hunt – founder of website “have I been pwnd?” – also said the leaked personal information is now perpetually in the public domain.
“There’s the potential to do serious damage to those involved and we need to remember that the same classes of data are held by all our governments in our respective corners of the world,” he wrote in a blog post.
Despite the removal of the original website, Hunt said the original database is still being shared online.
“Not only has it been readily available for download from multiple locations on the clear web, it’s been quite extensively torrented too,” he added.
“The genie is well and truly out of the bottle and it won’t be going back in,” he added.
Hunt also debunked Comelec’s claims that no sensitive information was compromised.
“This is a very large amount of data and reading through those column names, clearly many of them would be considered sensitive, personally identifiable data,” wrote Hunt.
Software security company Trend Micro has also warned about the sensitive personal information included in the leaked data.
“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone,” said the security firm. “Interestingly, we also found a whopping 15.8 million record of fingerprints and list of people running for office since the 2010 elections,” it added.
Clarification sought
Speaking over radio dzRB, Presidential Communications Development and Strategic Planning Office Undersecretary Manuel Quezon III said Comelec should clarify the extent of the hacking of its database as Malacañang has its own investigation into reports that its server, mail.malacañang.gov.ph, also downloaded information coming from the poll body’s site.
Quezon also urged the public to take necessary precautions to protect their accounts.
“Having said that, what’s good here, in a sense, is that the IT community – and so many Filipinos are good at this – have all been coming together and been issuing advisories that are common sense for us all to follow,” he said.
He said Executive Secretary Paquito Ochoa Jr. was immediately informed on the night of April 21 about social media screenshots that purportedly showed the Office of the President’s mail server being used to torrent and seed the Comelec data.
Torrents are “peer-to-peer” file sharing systems that allow users to download files from the computers of other users on the same system.
“Now, as of (Friday) morning, there continue to be screenshots that the torrent was still being downloaded or seeded using the address. So what is being done? An investigation is being conducted by the Office of the President-MIS (Management Information Service) department,” the Palace official said.
He said the subdomain mail.malacañang.gov.ph has been delegated to a specific mail server under the OP-MIS department since May of 2011.
“Now, they are currently reviewing their firewall and server logs, for any activity that would determine if one... the server was used to download and seed the torrent; or two, if the server was compromised or if a remote client was using the mail server to access the Internet; or three, if the culprit intentionally forged his host name to appear as with malicious intention,” Quezon said.
Meanwhile, Comelec said no significant problem was detected in its end-to-end transmission tests for 34 polling precincts across the country, except for two ballots that got swapped.
Comelec Commissioner Christian Robert Lim told reporters it was discovered that the ballots intended for Kapatagan in Digos City, Davao del Sur went to Pateros and vice versa.
To address the situation, he noted they had the 50 ballots for Pateros reprinted at the National Printing Office in Quezon City.
In Digos City, the Pateros ballots were pulled out at around 10 a.m. and delivered to Davao.
Lim said the incident is unlikely to be repeated on Election Day since there is an inventory system for the official ballots.
“They are properly labeled,” said Lim, who also heads the Comelec Steering Committee for the 2016 Elections.
Karen Jimeno, head of Smarmatic’s Voter Education Committee, said SIM cards from three telecommunication companies and BGAN satellite devices were used to transmit the results. – With Janvic Mateo, Aurea Calica