MANILA — To prevent a repeat of the 2016 “Comeleak” data breach, the Commission on Elections is considering limiting the information publicly available on its website’s precinct finder service.
Comelec spokesperson James Jimenez pointed out that in verifying one’s voter registration status for example, data such as a voter’s residential address need not be made available online.
He explained that responses to such a question may be limited to a “yes” or a “no.” Verifying the district where one has been registered as a voter can be done by inputting one’s address.
“If we can limit the information that it is strictly responsive to the question, then that is a form of data protection,” Jimenez said.
He added: “We can remove the availability of other information in the database so it won’t be that inviting to hackers.”
The poll spokesperson made the remarks at a recent forum in Manila during which he discussed the Comelec’s efforts to protect the data of millions of voters following last year’s “Comeleak” fiasco.
In March 2016, the Comelec website was defaced and hacked, with sensitive voter information of over 77 million voters compromised and leaked on the Internet.
Last month, the National Privacy Commission said Comelec chairperson Andres Bautista might be indicted and criminally prosecuted for the data breach.
Among the corrective measures were the designation of a data protection officer, a privacy impact assessment, and the creation of a privacy management program and breach management procedure.
Jimenez noted that one of the vulnerabilities of the Comelec website prior to the data breach was its precinct finder feature.
“If you can create a database which is limited as to its content of information, it may be harder to hack. That includes deciding what information is available online,” he said.
For now, the precinct finder service has been taken off the website while the poll body is improving its data protection measures.
“Instead, we encourage people to use for their queries our social media accounts which have real operators,” Jimenez said.
Another improvement in the Comelec’s data protection measures was its protection using multiple firewalls and hosting of its website under a facility of the Department of Science and Technology.
He added that Comelec executive director Jose Tolentino Jr., the poll body’s data protection officer, has been tasked to come up with data protection measures to prevent a repeat of the data breach.
“Right now, they are preparing that whole suite of solutions for the challenges that we’ve identified from the hacking incident,” Jimenez said.
So far, the Comelec has not yet received any reports of identity theft stemming from the hacking incident. The poll body set up a dedicated voter care hotline a few months after the “Comeleak.”
Jimenez said the NTC warned them that identity theft cases might take long to develop, and that the poll body has been keeping its voter care hotline open.
He noted that the information leaked on the Internet last year was not 100 percent accurate since the leaked data included voters who were already delisted or multiple registrations of a single voter.
Jimenez said the images of the biometric data of voters, such as fingerprints, were untouched by the hackers.
The Comelec spokesperson assured the public that its data security set-up has improved since the data breach incident last year, two months before the 2016 national and local elections.
“The NTC described it as much improved. We have a data protection officer, we have a secure location for our database, and it is located behind multiple firewalls. The NTC said it is better than when the hacking happened,” Jimenez added. SFM/rga