Apprehend hackers, not the hacked, says Bautista | Inquirer News
DATA BREACH AT COMELEC

Apprehend hackers, not the hacked, says Bautista

/ 12:24 AM January 06, 2017

Andres Bautista

Comelec Chairman Andres Bautista GRIG C. MONTEGRANDE/INQUIRER FILE PHOTO

“Should the focus not be on apprehending the hackers instead of punishing the hacked?”

The head of the Commission on Elections (Comelec) questioned on Thursday the findings of the National Privacy Commission (NPC) that he was solely responsible for the data breach of the poll body’s website last year.

Article continues after this advertisement

Comelec Chair Andres Bautista disputed the privacy commission’s finding that he was grossly negligent and criminally liable for the leak of millions of voters’ data from the Comelec website.

FEATURED STORIES

In a statement, Bautista said the commission’s finding “was based on misappreciation of several facts, legal points and material contexts.”

He explained that as head of the Comelec, he “generally trusted the advice and recommendation of IT experts” in areas where he did not have specific expertise.

Article continues after this advertisement

“If the Comelec information technology (IT) specialists directly in charge of operating the website were found not to be liable, what more those who merely oversee their work and the head of agency?” he said.

Article continues after this advertisement

Tweets

Article continues after this advertisement

Bautista also took to his Twitter account (@ChairAndyBau) to express his disappointment.

“I’m saddened by the recent NPC pronouncements placing the entire blame on me, in my capacity as Comelec chair,” he said.

Article continues after this advertisement

Bautista maintained that he faithfully complied with the duties and responsibilities entrusted to him as head of the poll body.

“I would just like to make it clear that the hacking incident is not related to the results of the 2016 elections,” he added.

In a decision dated Dec. 28, 2016, the privacy commission recommended the filing of criminal charges against Bautista for  gross negligence  under the Data Privacy Act of 2012.

In March 2016, the Comelec website was hacked and defaced, leaking voters’ data, such as their full names, addresses and birthdays to another website that has since been taken down.

Hackers’ groups

The hackers’ group Anonymous Philippines was reportedly responsible for defacing the website, while another group, LulzSec Pilipinas, leaked millions of voter registration data online.

The privacy commission said the Comelec did not have basic data privacy principles, as it had no existing policy covering data privacy. It noted that the poll body neither had a data protection officer.

As corrective measures, the privacy commission ordered the Comelec to appoint a data protection officer within one month, conduct an agency-wide privacy impact assessment within two months, and create a privacy management program and breach management procedure in three months.

The commission also recommended that the Department of Justice investigate its finding that a computer used in the so-called Comeleak had an IP address registered with the National Bureau of Investigation.

In his defense, Bautista said the Comelec did all it could to respond to the security breach and identify, locate and arrest the perpetrators.

Task force

He cited the poll body’s actions of creating a task force to probe the data breach, designating Comelec resource persons for the NPC, and instructing the Comelec executive director to comply with the reportorial requirements of the Data Privacy Act.

A Voter Care Center was established months after Comeleak, with the Comelec claiming it had not yet received any call or inquiry into the data leak.

Bautista noted that the Comelec, in good faith, cooperated with the commission’s proceedings despite the lack of the implementing rules and regulations (IRR) guiding NPC actions, since the IRR was  implemented only in August 2016.

The Comelec chair pointed out that the commission conveniently pointed to the head of the poll body as “solely responsible for the data breach.”

IT expertise

Bautista argued that although data privacy and security were important topics that needed to be taken seriously, “these are matters that are best left to IT experts.”

Unlike the privacy commission, which is run by IT practitioners, the Comelec en banc is managed by seven lawyers, he said.

“Hence, we rely on our IT department for expert advice on website/data security and privacy and IT-related matters,” he said.

Bautista added: “Following the decision’s logic, if there is a breach of the Supreme Court website, will the Chief Justice be potentially liable?”

The Comelec chair maintained that he should not be blamed for the supposed failure to appoint a data protection officer as mandated by the Data Privacy Act.

He explained that the Comelec en banc set the policy that the head of the agency was tasked to implement.

“The NPC misappreciated the role of the head of agency in a collegial body. It is the en banc that sets a policy that the head of agency is tasked to implement,” he said.

No data protection officer

He noted that since the Data Privacy Act was passed in 2012, the Comelec had not appointed a data protection officer. He said the entire en banc would have to vote on the appointment of a data protection officer.

Bautista also asked why the privacy commission was focusing on the Comelec in the data leak instead of going after the perpetrators of the hacking incident.

Motion for reconsideration

“Many leading private IT companies and government agencies here and abroad were confronted by data breaches despite putting in place security measures. Given the foregoing, should the focus not be on apprehending the hackers instead of punishing the hacked?” he said.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

The Comelec will submit a motion for reconsideration to the privacy commission through the Office of the Solicitor General, although it intends to implement the security recommendations of the commission.

TAGS: Comeleaks, Comelec website hacking, Commission on Elections

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.