Officials confirmed on Monday that the theft of a computer at a Lanao del Sur election office in January put the country’s records on 76 million voters at risk in yet another large-scale data breach.
The National Privacy Commission (NPC) announced that it had begun investigating the “very concerning” matter and that it had ordered the Commission on Elections (Comelec) to shore up protection of its database of sensitive personal information.
But the Comelec downplayed the possibility of an actual data breach as “remote,” owing to the use of the leading AES-256 encryption system.
Even as the incident took place in a province that has seen election violence and cheating allegations, the poll body denied the likelihood of the theft having any effect on the results of the 2016 elections.
The Jan. 11 robbery in Wao town is potentially the second such breach of voter data, after the March 2016 hacking of the Comelec’s website led to the so-called Comeleak, dubbed the worst-ever breach of a government-controlled database to have exposed the public to identity theft.
The Comelec reported the theft to the NPC only on Jan. 28 because the poll body had initially treated it as a simple robbery that happened to target the newest computer at its Wao office.
Second large-scale breach
“This is already Comelec’s second large-scale data breach in a span of less than a year—a case of a database being breached twice under different circumstances,” NPC Commissioner Raymund E. Liboro said in a statement.
Liboro stressed that the loss of personal data was “not only an [information technology] security issue involving firewalls” but also “a governance matter that covers organizational and physical measures to protect data.”
The Feb. 3 report of Comelec Executive Director Jose Tolentino Jr. to the NPC acknowledged dire consequences if the robber managed to crack the encryption of the data.
“If the robber will be able to gain access to the VRS (voter registration system), and to decrypt the VRS and the NLRV (national list of registered voters) data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended,” said the eight-page report that was released only on Monday.
Yet, during his joint briefing with Liboro, Tolentino maintained that thus far, the “data breach has not been confirmed actually” as “all the data are encrypted.”
He said the VRS in the stolen computer was “not in any way connected” to the vote-counting machine. “The only output would be the list of voters,” he explained.
The stolen desktop computer contained the NLRV and the VRS for Wao.
Tolentino said the NLRV was limited to demographic data—name, birthday and similar personal information—of the country’s roughly 75.9 million registered voters (55.2 million of which are active). But the VRS also captures the biometric data of 58,364 locally registered voters in Wao.
Assistant Secretary Allan Cabanlong of the Department of Information and Communications Technology said “technically, you cannot break AES-256 without the key.”
But Liboro pointed out that once the stolen data were out there, there would be no way to know if it had been decrypted and used.
“Whenever you lose control of data, you can never be 100 percent sure of anything,” the NPC head said. “Precisely, you have lost control of the data.”
Still, Tolentino told reporters that the agency had started abiding by the NPC’s subsequent Feb. 13 order to delete the NLRV databases in 1,656 municipal election offices nationwide.
The database was used to verify voter registration status. But after the robbery, the Comelec plans to limit access to the NLRV only to 81 provincial offices and the National Capital Region’s office.
Quarterly passwords
Likewise, the Comelec on Feb. 14 approved multifactor authentication to gain access to the VRS and NLRV, the use of passwords that expire quarterly and the streamlining of registration forms to remove the need for unnecessary personal data like height and educational attainment.
Other measures taken up include limiting the number of personnel who could access data, mandating the regular change of passwords, recording which data have been transmitted electronically and requiring field offices to report to Manila before disposing of unusable computers and no longer useful records.
Tolentino said he also issued a recommendation to Comelec commissioners to procure closed-circuit television cameras for all field offices, although at a hefty cost of P63.4 million.
The poll body also planned to press the Philippine National Police regional headquarters to speed up the investigation of the theft.
Liboro, who was seated beside Tolentino during the briefing, said the theft would be treated independently from the earlier Comeleak, the probe of which was concluded only recently.
He acknowledged that the Comelec was “actually instituting policies” in coordination with the NPC, even if it may not have been fast enough to avoid a repeat of the data breach.
“We just have to speed these things up because we get overtaken by this kind of events,” Liboro told reporters.
In January, the NPC recommended that Comelec Chair Andres Bautista be criminally prosecuted for “gross negligence” over the March 2016 hacking of the Comelec’s website that led to the leak of voters’ personal information.
The NPC’s criminal findings have not been forwarded to the proper authorities yet, according to Liboro, because it is being appealed by the Comelec.
Several databases hit
The hacking of the Comelec website hit several databases.
There was the voter database in the Precinct Finder web application with 75.3 million records, the database in the Post Finder with 1.38 million records, the iRehistro database with 139,301 records, the firearms ban database with 896,992 records (20,485 firearms’ serial numbers) and the Comelec personnel database with 1,267 records.
The Post Finder has details, such as passport information, biometrics description, taxpayer number, mailing address, citizenship, name of spouse, profession, height and physical identifying marks.