IT experts: 'Comeleak' a breach of public trust

MANILA, Philippines — IT experts on Saturday said the massive leak of voters’ data compromised the public’s trust in the Commission on Elections (Comelec). It also raised questions on how other government agencies are protecting our sensitive data.

“The keyword here, not just for Comelec itself but any institution that holds private information, is: due diligence,” Isaac Sabas of tech firm Pandora Security Labs said in a forum in Makati City. 

“The root cause there is you yourself did not do due diligence to uphold the Data Privacy Act (RA 10173). We, as citizens, entrust you with the information, so you are liable. You have to be held accountable.” 

Ordinary vs sensitive info

Tech experts also slammed Comelec for keeping the public in the dark regarding the enormity of the breach. 

They said the poll body has downplayed TrendMicro’s investigation on how the leak endangers the 55 million registered voters with passport details of 1.3 million overseas Filipino voters and 15.8 million fingerprint records exposed. 

It assured voters that no biometrics data were included in the leak, and added that the information the hackers claimed to possess only include public information. 

RELATED: IT grad, 23 arrested for Comelec website hack

Lawyers Toby Purisima and Reginald Tongol, cyber law experts, however, disagreed. 

Tongol differentiated ordinary information from sensitive information. 

He said ordinary information is any kind “in which the identity of an individual is apparent or can be reasonably ascertained or if put together with other information would identify the individual.” 

Sensitive information, on the other hand, includes race; ethnic origin; marital status; age; color; religious, philosophical or political affiliations; health; education; genetic or sexual life; social security number; health records; and tax returns, among others. 

Although someone's name is not sensitive information, according to Tongol, other IT experts said that the maiden name of a person’s mother could be considered so as it is one of the questions used in identity verification for email recovery and bank transactions. 

RELATED: Banks warned vs identity theft; ‘Comeleak’ website taken down

It took weeks after the TrendMicro report and a website that made the data searchable for the Comelec to show alarm to the enormity of the breach. 

RELATED: Sorry over leaked data, Comelec tells public to change passwords

"Siguro dahil iniisip nila na available sa Facebook, Instagram, Twitter no harm no foul," Purisima said. 

Legal implications

The two lawyers also noted the various cybercrime laws violated by the hackers such as the Cybercrime Prevention Act (RA 10175), Data Privacy Act, and the E-Commerce Act (RA8792). 

They added that the poll body is also liable under the Data Privacy Act, Code of Ethics and Ethical Standards (RA 6713), Antigraft and Corrupt Practices Act (RA 3019). 

The Comelec chairman and commissioners may also be impeached for betrayal of public trust under the Constitution, Purisima said. 

Beef up security 

Even with the website that made the information available already taken down, IT experts said information posted on the internet doesn’t really disappear. 

Sabas said this is the reason due diligence — being proactive, coupled by constant monitoring — is of utmost importance. 

He said that there must be a change in the current mindset which focuses on postmortem response or the thinking that: “Di pa naman tayo naha-hack e, puwede na yan." 

“You have to be proactive. You have to understand what’s coming in and what’s going out.” 

Rick Bahague of VoteReportPH said that with the size of the leaked database, 340 gigabytes, and the internet speed in the country, the hacker group must have been downloading the database even prior to the March 27 defacement of the site. Comelec should have noticed it “by looking at the spike” in its system, he said. 

IT experts said that other government agencies that have more data should practice due diligence. 

“Let us not add to the voluminous data about us that is already there. There are other data-intensive agencies that are supposedly accountable to us, that still have more data. SSS, GSIS, PhilHealth, Pagibig, NSO, it’s a whole parade, LTO. We have to demand that they show to us how they are protecting our data because, who knows, they would be next,” Tonyo Cruz of TXTPower said.