Anonymous Philippines, a hacktivist group, has defaced the Commission on Election’s (Comelec) website on Sunday, March 27, 2016 with message posted “We request the implementation of the security features of the PCOS (Precinct Count Optical Scanner) machines. Commission on Elections, we are watching!”
Just hours later, another hacktivist group named LulzSec Pilipinas claimed that they hacked the Comelec’s database and leaked it on Facebook, with mirror links available for download.
The Comelec confirmed the breach but they affirmed that no sensitive information was compromised.
“Walang sensitive information dito, in other words, Hiwalay yung website na gagamitin natin para sa eleksyon, especially for results reporting,” Comelec spokesman James Jimenez said.
Trend Micro, a tech security firm based in the United States, investigated the hack and found that a huge number of sensitive personally identifiable information (PII)–including passport information and fingerprint data–were included in the data dump.
In response, Comelec denied Trend Micro’s claim and said that sensitive biometrics data weren’t included in the database leak.
“We know the data they (hacker group) claimed to have and we know that data doesn’t include biometrics,” Comelec spokesman James Jimenez said in a media briefing.
“In my mind it’s a little dangerous,” Jimenez said of the report saying it legitimizes the data dump.
“Wala naman silang kakayahan to actually validate whatever it is they’re looking at. Kasi wala naman silang access sa database ng Comelec,” he added.
LulzSec Pilipinas: You Want Proof?
On April 21, 2016, the Filipino voters were stunned when a website with search engine using the data of Filipino voters from the Commission on Elections’ database was created. The information of about 55 million registered voters include full name, birthdate, fingerprint information, parents’ full name, the complete address of residence, passport number, and more.
On Lulzsec’s website, there is even a link to the raw database downloadable via torrent. According to Trend Micro, this is possibly the biggest government-related data breach in history.
What’s alarming is the fact that they (Comelec) are not acknowledging the problem.
“Part of the problem is that Comelec are still not acknowledging the problem,” said Troy Hunt, the creator of haveibeenpwnd.com, a website that allows people to check if their online accounts have been breached.
Hunt described the Comelec response as irresponsible, adding, “All they need to do is to compare the data in the breach with that in the source system. That’s a three hour job, not a three week one.”
The data dump is a big slap to Comelec’s face after affirming that no sensitive information was compromised.
What might have caused the hacktivist group to prove their claim is Comelec’s denial. Instead of admitting the insecurity and informing the public about the compromised data, Comelec kept on denying until the hacktivist group Lulzsec Pilipinas proved Comelec’s “phantom security”.
Comelec’s Denial + Pride
The Commission on Election has once again affirmed that the upcoming election will not be tainted of cheats.
“That’s one of the things we’ve always been sure of because the elections will not be run on the same servers (as the website). We will not even be using that (defaced) website,” Comelec spokesman James Jimenez said.
Well, we heard that before Comelec but you better be right this time!
Let us consider that Anonymous Philippines’ and Lulzsec Pilipinas’ motive is to inform the public and the government officials about the government websites’ vulnerabilities, but now that the voters’ information is open to the public, anybody could have downloaded the database. To make it worse, bad people can use the information for their benefits.
Here are possible risks that the affected citizens are facing because of the data leak:
1. Blackmail and Extortion. “Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more,” said Trend Micro.
2. Identity theft. The most-feared result of the Comelec hacking is Identity theft. Identity theft as defined by Wikipedia is “the deliberate use of someone else’s identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to the other person’s disadvantage or loss.”
Are you ready to have a clone?
The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator’s actions. Identity theft occurs when someone uses another’s personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes.
3. Fraud. With the voters’ full name, birthdate, fingerprint information, parents’ full name, the complete address of residence, passport number, and more information shared to the public, credit card fraud is now easier for bad guys to execute.
How Does Credit Card Fraud Happen?
An article by Federal Trade Commission on Consumer Information provided an information on how credit card fraud happens:
Theft, the most obvious form of credit card fraud, can happen in a variety of ways, from low tech dumpster diving to high tech hacking.
- A thief might go through the trash to find discarded billing statements and then use your account information to buy things.
- A retail or bank website might get hacked, and your card number could be stolen and shared.
- Perhaps a dishonest clerk or waiter takes a photo of your credit card and uses your account to buy items or create another account.
- Or maybe you get a call offering a free trip or discounted travel package. But to be eligible, you have to join a club and give your account number, say, to guarantee your place.
The next thing you know, charges you didn’t make are on your bill, and the trip promoters who called you are nowhere to be found.
What Can You Do?
To find out what you can do to prevent credit card fraud from happening to you, visit Federal Trade Commission’s website on Consumer Information.
- Walking dead voters. It might seem funny but it is possible. Politicians running in the upcoming (May 9) election can use the identity of the registered (but deceased) voters to cheat in the upcoming election by employing people in need of money to act as the person.
- Doubtful election result and presidential loser’s right to complain. How can we assure now that the election result is accurate? Whoever lose in the upcoming Presidential election will surely doubt the accuracy of the election result and might organize a coup especially those who have the financial capacity to do so.
There are serious concerns behind Comelec’s database leak.
First, the hack succeed because of the lack of competence of the data security professionals and software developers employed by Comelec.
- The budget for Comelec is probably not enough to hire more competent IT professionals.
- If there is enough budget, it is probably not allocated properly because of corruption.
Second, the hack exposed COMELEC’s weaknesses in terms of network and data security.
Third, we are focusing on the wrong concern — internet speed is not the primary concern — data security is. Faster internet speed will result to more cybercrime-related concerns in the next coming months and years. But to top that, this was not tackled in the previous Philippine Presidential Debate.
Fourth, denial will solve nothing. Let’s take Troy Hunt’s word, “Part of the problem is that Comelec are still not acknowledging the problem.”
Fifth, the Philippines is once again involved in the book of world records. This time in the biggest government-related data breach in history just after the biggest money-laundering act ever committed — the Bangladesh Bank Heist.
Lastly, the hack proved that Comelec’s database is disorganized. The leaked database was a “real hodgepodge” of data structures, with file names suggesting hasty copy-and-pasting of old versions, poor maintenance and lax management. “It’s very, very shoddy. This was probably something that hasn’t had much love,” according to Troy Hunt. Ouch!
At the end of the day, everyone — especially the affected citizens — should be very concerned of the data leak and must do something for prevention. Every Filipino citizen must now know the basic security measures to avoid risks such as Identity theft and Fraud. After the election, it is in the next President’s administration to face the problems, suppress the results of the data leak and disseminate information on citizen security measures.