Philippines data breach downplayed, 55mil voters at risk: Trend Micro

• After website defacement, hackers posted Comelec’s entire database online
• Election commission’s reassurances at odds with Trend Micro’s findings

 
WHILE initial reports on the data breach at the Philippines’ Commission on Elections (Comelec) downplayed the impact of the leak, Trend Micro Inc said its investigations showed a huge amount of sensitive personally identifiable information (PII) – including passport information and fingerprint data – were included in the data dump.
 
Every registered voter in the Philippines is now susceptible to fraud and other risks, the company said in a statement.
 
A hacker group defaced the Comelec website on March 27, following which a second hacker group posted Comelec’s entire database online. Within a day, the hackers added three more mirror links where the database could be downloaded.
 
With 55 million registered voters in the Philippines, this leak may turn out to be the biggest government-related data breach in history, surpassing the Office of Personnel Management (OPM) hack in 2015 that leaked PII, including fingerprints and social security numbers of 20 million US citizens, Trend Micro said.
 
Election tension, e-voting
 
With the upcoming Philippine national election on May 9, the incident puts further pressure on the Comelec and its Automated Voting System (AVS), Trend Micro said.
 
The first hacker group gave a stern warning for Comelec to implement the security features of the vote counting machines. However, the actions by the second hacker group have exposed Comelec’s weaknesses in terms of network and data security, the company added.
 
In a statement, Comelec spokesman James Jimenez admitted that the security of the website was not high. However, he pointed out that the AVS ran on a different, more secure network and that the recent hack would not affect the machines.
 
Jimenez said he was confident of the security features of the AVS and reassured the public that things would go smoothly during the election.
 
There are however discrepancies in these statements made and Trend Micro’s findings, the company said in its statement.
 
Comelec officials claimed that there was no sensitive information stored in the database. However, Trend Micro said its research showed that massive records of PII, including fingerprint data, were leaked.
 
Included in the data Comelec deemed public was a list of Comelec officials that have admin accounts.
 
Candidate info
 
Based on its investigation, Trend Micro said the data dumps included 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates.
 
“What is alarming is that this crucial data is just in plain text and accessible to everyone,” the company said.
 
“Interestingly, we also found a whopping 15.8 million records of fingerprints and a list of people running for office since the 2010 elections,” it added.
 
In addition, among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED.
 
Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED files are set to have NULL as figure.
 
The Comelec website also shows a real-time ballot count during the actual elections.
 
“While Comelec claims that this function will be done using a different website, we can only speculate if actual data will be placed here during the elections and if tampering with the data would affect the ballot count,” Trend Micro said.
 
Every registered citizen at risk
 
Regardless whether the hacking could affect the elections, there is still the issue of all voter information that was leaked, Trend Micro said.
 
Reports stated that while some of the data were encrypted, there were some fields that were left wide open.
 
Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion.
 
In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more, the company added.
 
Public sector at risk
 
In Trend Micro’s research paper, Follow the Data: Dissecting Data Breaches and Debunking Myths, government agencies were cited as the third biggest sector affected by data breaches, following healthcare and education.
 
This also brings to the fore the importance of having data protection officers that would be responsible for the legal requirements as well as securing the crown jewels – the highly sensitive data of organisations.
 
“It will be crucial for companies to employ data protection officers, but even then it will be an uphill battle for various reasons, including cultural differences,” said Trend Micro chief technology officer Raimund Genes (pic).
 
“For example, in Germany, having a data protection officer is necessary by law, but in other countries, it’s not. Companies might even think that they don’t need one,” he added.
 
Citing the example of the Comelec breach, Trend Micro said companies and organisations should practise data classification to segregate data of varying sensitivity, and then apply appropriate protection to each category.
 
For more information on how to classify and protect data, go to the Trend Micro blog post on the Comelec breach here.
 
Related Stories:
 
Time for Asean to consider risks and rewards of e-voting
 
GE13: Evidence of websites, political content being throttled
 
Data breaches continue to dominate threat landscape: Trend Micro
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.