Security Experts:

55 Million Exposed After Hack of Philippine Election Site

A cyber-attack on the website of the Philippines Commission on Elections (Comelec) has resulted in personally identifiable information (PII) of roughly 55 million people being leaked online.

While there are no exact details on the number of affected people, it appears that hackers managed to grab the entire voter database, which includes information on the 54.36 million registered voters for the 2016 elections in the Philippines. Information on voters abroad also leaked, along with other sensitive data.

Should the data in this leak prove genuine, it would make the breach one of the largest so far this year, on par with the recent hack of a database apparently containing details of almost 50 million Turkish citizens, which determined Turkey's authorities to launch a probe into the incident. It would also be the largest breach after the Office of Personnel Management attack last year.

As the Philippines prepares for the upcoming national elections on May 9, Comelec has been pushed for increased transparency, and the security of their Automated Voting System (AVS) has been questioned. The breach also reveals that the commission doesn’t employ all of the necessary security measures to keep its systems safe.

The data leak incident began on Sunday, March 27, when Anonymous Philippines hacked and defaced the Comelec website. The hacking group was reportedly looking to encourage the commission to implement the security features of vote-counting machines (VCMs), also known as precinct count optical scan (PCOS) machines.

Soon after, a second group of hackers, which call themselves LulzSec Pilipinas, said that they too breached the Commission’s systems, and that they managed to grab the entire database. The group posted links to index of files that could be downloaded, including a massive comweb.sql.qz archive, which Anonymous Philippines was able to access as well.

The archive was found to include information on candidates, parties, election years and the type of polls (such as national and local elections). According to Rappler, the file contains 75.3 million rows of records about people, including names, birth dates, residential address, birthplace, and Voter’s Identification Numbers (VIN), along with records of registered overseas Filipino voters (OFV).

Real time ballot count included in the leak

According to TrendMicro researchers, who had a look at the archive, the data dump contains 1.3 million OFV records, including passport numbers and expiry dates, all of which was kept in plain text. The researchers also discovered 15.8 million records of fingerprints, along with a list of people running for office since the 2010 elections.

The database also included files with all candidates running on the election with the filename VOTESOBTAINED, which should reflect the number of votes each of them received, but which were set to null. Real time ballot count during the actual elections was also displayed on the site, though Comelec spokesperson James Jimenez suggested this function would be available on a different, more secure website.

Jimenez tried to downplay the incident, suggesting that no actual data was accessed in the breach and that the National Bureau of Investigation was contacted to look into the leaked data. He also suggested that the hackers only managed to grab “a list of names and addresses” and that they can’t make much use of the data.

While the data breach might not have an influence on the impending elections, the fact that voter information leaked might eventually impact millions. Identity theft, phishing, scams, and other nefarious activities might register a fast increase after the leak.

Hacktivists looking to embarrass organizations

The incident, however, might have nothing to do with cybercriminals’ pursue for financial gains, but could be merely the doing of organized hacktivists, Nathan Wenzler, Executive Director of Security at Thycotic, tells SecurityWeek. The rise of hacktivists, he says, is the result of organized hacker groups forming corporations to steal data for financial gain, a growing trend over the past several years.

“Groups like Anonymous, LulzSec, and The Lizard Squad are fairly well known in the security community, over the last couple of years more and more data breaches are being committed by these groups and the resulting data lost is not used for financial gain, but rather to embarrass organizations who fail to properly protect their data and shame them into improving their security postures. Additionally, these data breaches can be used to make political statements or other social commentary against those who are deemed to be “bad” by the hacktivist groups,” Wenzler said.

“And, as we’re seeing with this Comelec breach, that’s precisely what’s happening. Philippine factions of Anonymous and LulzSec are not selling the stolen data on the black market for financial gain, but have made it public to shame the various agencies which should be protecting that data into doing so,” he added.

However, the breach also opens up the potential for other nefarious groups and criminal organizations to take advantage of the leaked data and use it against the individuals who have information in those databases. According to Wenzler, this is where the hacktivism effort becomes an issue.

“While the Comelec absolutely has a responsibility to protect constituent data, and should be held accountable for this breach, the potential threat caused by the hacktivist groups in publishing this data publicly may cause even greater harm in the long run.”

“The fallout from this breach will be years in the making, but hopefully all parties involved will be taking immediate steps to minimize the damage to the citizens affected by this loss,” Wenzler concluded.

view counter