Huge data breach leaves details of 55 million Filipino voters exposed to hackers

Officials downplay impact of leak of electoral roll, passport info and fingerprint data

Huge data breach leaves details of 55 million Filipino voters exposed to hackers
Huge data breach leaves details of 55 million Filipino voters exposed to hackers

The details of up to 55 million voters in the Philippines have been exposed putting much of the country at risk of identity theft.

The entire database of the Philippines' Commission on Elections (COMELEC) was breached on Wednesday according to the Philippine government. While the commission downplayed the leak, an investigation by Trend Micro discovered a huge number of sensitive personally identifiable information (PII)–including passport information and fingerprint data–were included in the data dump.

COMELEC spokesperson James Jimene told the Philippine Daily Inquirer that the data leak contained “no sensitive information there”. Trend Micro said that based on its investigation the dump included “1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates”.

“What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections,” said a spokesperson for Trend Micro.

The breach follows the defacement of the COMELEC website on 27 March by a hacker group, a second hacker group posted COMELEC's entire database online. It is thought that Anonymous Philippines was responsible for the website defacement, while another group, Lulzsec Filipinas was responsible for the leak. Apparently, the hacker group had wanred COMELEC to implement the security features of its Automated Voting System (AVS) prior to the hack.

Aftab Afzal, senior vice president EMEA at NSFocus, told SCMagazineUK.com that the breach highlights just how critical it is to have in-depth data / network security polices, processes, tools with real world risk registers.

“Cyber-security is still too often seen as an expense and as most organisations are driven to reduce costs they can leave themselves exposed.  When considering cyber-security for your organisation, you should work backwards from your risk analysis/ register to ensure your are covered. The cost of protection should be offset by the impact and cost of damages.  Budget restrictions can also be offset by smart vendor selection,” he said.

Luke Jennings, Head of Research and Development at Countercept by MWR InfoSecurity, told SCMagazineUK.com that there are a wide range of vulnerabilities that can affect common web server technologies and the custom website code that is written to run on them.

“The more serious of these can allow hackers to gain full control over the website and any databases used by the website. With such a wealth of personal information it significantly increases the risk of both identity fraud and financial fraud targeting the affected citizens,” he said.

Trent Telford, CEO at Covata, told SCMagazineUK.com that such a problem was likely to happen in the UK.

“The methods and attacks that hackers are using are constantly evolving and, as businesses continue to collect and store more information about their customers and contacts, the fruit for hackers to pick is simply becoming riper.  Cyber-criminals don't care about sector and they'll quickly hone in on the organisations that don't have the utmost security measures in place; no business can afford to stick their head in the sand and assume that they are safe,” he said.

Privitar's vice president Chris Smith, told SCMagazineUK.com that organisations need to evolve data management practises and embrace a privacy-by-default approach to data security and privacy. 

“By ensuring that only essential data is visible in any given process, organisations can extract essential value from data while complying to the strictest standards for data protection. This data-centric approach effectively separates data utility from data identity and will allow organisations to confidently use sensitive data without the fear of serious repercussions,” he said.