Ballot boxes used for the 2007 Philippine Barangay election in Davao. Source: Wikimedia
The personal details of more than 50 million voters in the Philippines has been exposed in a breach of the nation’s electoral commission.
Security researchers at Trend Micro reported that the hack contained sensitive personal data, including 15.8 million people’s fingerprints and the passport numbers and expiry dates of 1.3 million expat voters.
The Commission on Elections, called Comelec, was hacked in late March by a group calling itself as Anonymous Philippines, the branch of the disparate hacker organisation. The homepage was replaced with a message accusing Comelec of not ensuring the security of voting machines used in the country’s general election next month.
The May 9 election will elect a new president, vice-president and more than 18,000 other politicians into office. It is only the third time automated machines will be used in elections and Comelec has previously been criticised for being too lax with security.
“One of the processes by which people exercise their sovereignty is through voting in an election,” the hackers’ message said. “But what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?”
The 338GB data hack contains 75.3 million entries on the electoral register, with 54.28 million of them not tagged as disapproved, around the same number as the 54.36 million registered voters in the Philippines.
That makes this hack potentially the “biggest government related data breach in history”, according to Trend Micro, “surpassing the Office of Personnel Management hack last [year] that leaked … fingerprints and social security numbers of 20 million US citizens.”
It even exceeded last week’s record-breaking in Turkey of personal information from the Turkish citizenship database, which contained records on 49 million people. Turkey’s population is almost 79 million.
Trend Micro warns that the Philippine hack leaves citizens exposed to criminals. “Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion,” it said. “In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more.”
Last month Comelec downplayed the impact of the compromise. A spokesman said: “I want to emphasise that the database in our website is accessible to the public. There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well.”
But Trend Micro said its report “showed a huge number of sensitive personally identifiable information [PII], including passport information and fingerprint data, were included in the data dump.”