At the end of March, hackers broke into the database for the Philippine Commission on Elections in what InfoSecurity Magazine is calling “what could rank as the worst ever government data breach anywhere.”
The hack came in a couple of parts: an initial event that defaced the website, while a second group was able to extract the database and release it to the web. The scale of the attack is even larger than that of the Office of Personnel Management breach in 2015, and leaked sensitive information such as fingerprints and passport information.
Shortly after the breach on March 27th, the Philippine Commission on Elections (COMELEC) reported that it was only the website that had been hacked, not their database, and that most of the information that had been leaked was public anyway:
[Comelec spokesman James Jimenez] said the hacking affected the precinct finder, video demonstration and the search function of the website.
“The website’s interface changed. But for the most part, the database are intact. As a standard procedure with any intrusion, we are taking the time to make sure that we remove all the malware codes that were penetrated,” Jimenez said.
…
“The Comelec website has been available to the public so if there are people who want to hack it, they have the opportunities to study its security features. We do not give high level of security in the website, even the precinct finder function, we have back up so it is protected,” he said.
However, in an investigation released earlier this week, TrendMicro discovered that the personal information of upwards of 55 million registered voters was compromised:
Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections.
In addition, among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, allVOTESOBTAINED file are set to have NULL as figure.
The entire database of 55 million voters was accessed, but it’s not clear if all of those individuals were affected. If they were, it could be one of the largest data breaches to date.
The first group warned COMELEC about vulnerabilities in their systems, particularly in the Automatic Voting Machines that will be used in the upcoming national elections on May 9th.
While this personal information might not directly affect the upcoming election, it does potentially leave millions of individuals who could be targeted by criminals with the information in hand.
COMELEC hasn’t announced any response to the breach, and how they will proceed moving forward is unclear. We’ve reached out to their offices and will update if they respond to our questions.