The National Privacy Commission (NPC) has recommended data privacy charges against an employee of election technology firm Smartmatic and a suspected hacker for the “breach” of election data months before the May polls last year.
But the commission cleared Smartmatic and the Commission on Elections (Comelec) of liability for concealing the data leak, ruling that they were under no obligation to report the matter to the NPC.
In a decision dated Sept. 22 but released only this week, the NPC accepted Smartmatic worker Ricardo Argana’s confession to the National Bureau of Investigation that he gave a certain Winston Steward access to the company’s servers through his computer in the Comelec office.
He said he did so in exchange for an offer of P50,000 to P300,000 in cash.
In his sworn statement to the NBI dated Feb. 2, 2022, Argana said he worked for Smartmatic from August 2021 to January 2022 as a quality assurance tester in the Comelec office.
He said he received a private message from Steward on Facebook Messenger offering him money in exchange for access to his computer.
“When he went to the Comelec office for work, he gave access to his computer using AnyDesk app through the internet while connected to Smartmatic servers in the last week of December 2021,” the NPC said.
But Steward did not fulfill his end of the deal, only paying Argana with online computer lessons such as for CobaltStrike and Lateral Movement, the NPC said.
Argana said he had connived with the hackers to earn money as he had a two-month-old baby.
Other than Argana and Steward, NPC did not name other persons who should be prosecuted for unauthorized access or intentional breach under Section 29 of the Data Privacy Act of 2012.
Overseas voters list
The breach may have led to external parties obtaining illegal access to data from the Comelec’s site survey forms and, possibly, its overseas absentee voters list, according to the NPC.
“These individuals committed unauthorized access or intentional breach when they broke into Smartmatic’s servers that store personal or sensitive personal information,” the NPC said in the decision signed by Deputy Privacy Commissioner Leandro Aguirre and Privacy Commissioner John Naga.
“These individuals are recommended for prosecution [by the Department of Justice],” it added.
Under Republic Act No. 10173, Argana and Steward may face a penalty of one to three years in prison and a fine of between 500,000 to P2 million if found guilty of the violations.
But against the findings of its own complaints and investigation division (CID), the NPC ruled that Smartmatic and Comelec were not liable for concealment of the security breach involving sensitive personal information under Section 30 of the data privacy law.
The NPC said the first and third requisite for mandatory breach notification were not present in the case, noting that the data did not involve sensitive personal information and the breach was not likely to cause real harm to the affected persons.
Can’t be used for fraud
According to the commission, the name, signature and designation of data subjects contained in the site survey forms could not be considered sensitive personal information that may be used for identity fraud.
It added that the data subjects whose personal information was exposed in the forms were either government employees or contractual workers.
The NPC also said its CID failed to prove the claim of the supposed group of hackers that it had accessed the personal data of 138,900 overseas voters.
“The only thing that the CID’s test confirmed is that some of the people on the artifacts are real people. The test results, however, do not show that the list came from a breach of Comelec’s or Smartmatic’s systems or servers,” it said.
Cybersecurity division
In response to the ruling, Comelec said it would create a “cybersecurity division” to prevent similar incidents.
“Our officials and personnel are currently training on cybersecurity so that we can already establish this new office which is necessary if we are to keep in step with the advancement of technology,” Comelec spokesperson Rex Laudiangco said in a statement on Thursday.
The breach of Comelec data was first reported by the Manila Bulletin in early January last year.
In its report, the Bulletin said its Technews team received a tip from a source about a hacking incident at the Comelec involving over 60 gigabytes of data, which it said “could possibly affect the May 2022 elections.”
It said the stolen data included usernames and personal identification numbers (PINS) of vote-counting machines, but the Comelec denied this, asserting that “such information still does not exist in Comelec systems” at that time.
In March 2022, after a closed-door session of the joint congressional oversight committee on the elections, Sen. Imee Marcos said the breach was accomplished by members of a group calling itself XSOX, which she suspected to be a “criminal hacking syndicate.”
The group has a Facebook page where it posted some of the data, including personal information on Comelec personnel and Smartmatic operations which it claimed to have obtained.