Last March 2016, the Commission on Elections (COMELEC) fell victim to what is now known as one of the biggest government-related breaches in history. This hack on the COMELEC database leaked the personal information of approximately 55 million registered Filipino voters. The incident soon caused widespread concern and public outrage, prompting FMA to call the attention of the then-newly established National Privacy Commission (NPC). Shortly after FMA’s call, the NPC started an independent investigation on the breach, which is now the subject of the young Commission’s first case. Over the past few months, the NPC conducted several investigatory hearings on the case, at least two of which were attended by FMA.
COMELEC Chairman Andres Bautista talking to the press after the breach // Photo courtesy of: GMA News Online
According to a preliminary report dated 27 June 2016, the fact-finding sessions established that:
- There was a security breach that provided access to the COMELEC database that contained both personal and sensitive information, and other information that may be used to enable identity fraud. The personal data included in the compromised database contained passport information, tax identification numbers, names of firearm owners and information about their firearms, e-mail addresses, among others; and
- In addition to the defacement of the COMELEC website on the evening of 27 March 2016, it is reasonably established that access to the database containing personal data occurred in the week before the defacement, from around eight different networks, over four to five days.
Drawing from these established facts, NPC is investigating possible violations of Sections 11, 20, 21, 22, and 26 of the Data Privacy Act of 2012. The preliminary report identifies two primary indicators of possible negligence on the part of COMELEC:
- The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access; and
- The vulnerabilities in the website, and failure to monitor regularly for security breaches allowed unlawful access to the COMELEC website.
The NPC is expected to issue its resolution after a final clarificatory hearing.