Every single registered voter in the Philippines now his or her personal information exposed in a data breach. The number of registered voters in the country amounts to a staggering 55 million individuals, which ranks the breach as one of the worst governmental data breaches, ever.
The entire database of the Philippine Commission on Elections (COMELEC), containing details of every registered voter in the country has been the target of a massive data breach.
The breach could very well be the largest governmental data breach of its kind, easily dwarfing the Office of Personal Management (OPM) hack in the United States that eventually saw the leak of personal data of some 20 million U.S. citizens.
An investigation by security firm Trend Micro revealed that a data dump subsequently shared by the hacking outfit behind the breach included sensitive, personally identifiable information (PII) such as fingerprint data and passport information.
The entire episode began when the website of COMELEC was initially defaced by a hacker group, believed to be an offshoot of hacking collective Anonymous. The motivation of the hacking group was to persuade the country’s election commission to upgrade and bolster the security features deployed in the country’s voting machines. These machines will be used for the national elections on May 9.
A statement from Anonymous read:
What happens when the electoral process is so mired in questions and controversies? Can the government still guarantee that the sovereignty of the people will be upheld? We request the implementation of the security features in the PCOS (precinct count optical scan) machines.
Commission on Elections, we are watching! We are Anonymous. We are legion. We do not forgive. We do not forget. Expect us!
The Data Breach
The second hacking outfit, believed to be known as LulzSec Pilipinas, proceeded to breach the commission’s database altogether.
The hacker group dumped the entire database online. The dump was soon available to download via multiple mirror links. In a marked effort to downplay the breach, a spokesperson for COMELEC claimed that no sensitive information was taken as a result of the breach.
The spokesman stated:
There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well.
Despite such claims, an investigation by Trend Micro revealed that fingerprint data had indeed been leaked, along with large PII records, in the millions.
The investigation by Trend Micro revealed:
- 3 million records of overseas Filipino voters, including their passport numbers and expiry dates.
- The data for overseas citizens is in plain text, accessible by anyone.
- A massive record of 15.8 million fingerprints.
The incident underlines the importance of prioritizing cybersecurity among governmental entities that typically involves entire databases of citizens’ data. Government agencies typically figure among the top 5 sectors frequently targeted by data breaches, alongside healthcare, education, retail and finance industries.
Featured image from Shutterstock.