(SPOT.ph) In a press conference held on January 5, 2016, the National Privacy Commission released a rather explosive decision: among other action items, recommending to Department of Justice Sec. Vitaliano Aguirre that Commission on Elections Chairman Andres Bautista be prosecuted for the crime of "Accessing Sensitive Personal Information Due to Negligence," under Section 26 of the Data Privacy Act (RA 10173).
If found guilty, Bautista would face up to six years in prison, a four-million peso fine, and disqualification from holding public office for up to 12 years.
What was the reason for this decision by the National Privacy Commission (NPC)? The infamous "#COMELEAK" hacking incident in the run-up to the May 2016 elections, dubbed by cybersecurity company Trend Micro as "one of the biggest government-related data breaches in history."
Let's count down 10 things we should know about the NPC's decision versus Bautista regarding the #COMELEAK.
10. Who broke open the Commission on Elections (COMELEC) database?
"There are facts that tend to show that COMELEC, as personal information controller, failed to implement reasonable and appropriate measures to protect personal data against human dangers, such as, but not limited to, unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination." - NPC decision
Imagine that your city council passed an ordinance that all banks should make sure that all your money is in a vault, that the vault is always locked when it is not being accessed, and that only authorized bank employees are allowed to access the vault. The ordinance says that plans and programs should be made to secure your money; still, even without such an ordinance, it would be common sense to be diligent for banks to secure your money.
Imagine that your bank, located in a tough neighborhood, was robbed by persons unknown. Upon investigation, it turns out the bank manager did not make plans on how to keep your money safe, so there wasn't enough security to guard the vault, there were no security cameras monitoring the vault, et cetera. Then the bank manager tells you that it was not his job to make such plans, that he was depending on his staff to make such plans, and that he did not know how to make such plans.
The #COMELEAK incident was worse than that.
Bautista was appointed to the COMELEC on May 4, 2015. Prior to his arrival, the Data Privacy Act was enacted on July 25, 2011; another law with provisions on information security, the Mandatory Biometrics Registration Law (RA 10367), was enacted on February 15, 2013. Bautista should have been mindful of information security and data privacy for the COMELEC from Day One of his appointment as chairman of the commission.
The NPC found out that he was not, and the NPC was scathing in its censure of Bautista:
"What is clear is that there is lack of appreciation on the part of the COMELEC Chairman that data protection is more than just implementation of security measures, but must begin from the time of collection of personal data, to its subsequent use and processing, up to its storage or destruction... The glaring absence of any policy or program intended to ensure that COMELEC adheres to data privacy principles and implements organizational, physical, and technical security measures demonstrates the conscious indifference to consequences and possible harm to data subjects."
The COMELEC was not really broken open; the COMELEC databases were open and unguarded, ready to be exploited by anyone willing to give the unlocked doors a hard shove.
9. Who exploited the COMELEC vulnerability?
"From March 20 to 27, 2016, on several occasions, unknown actors, using different networks and IP addresses, exfiltrated the contents of the COMELEC website, including the voters’ databases contained therein." - NPC decision
We do not know. The National Privacy Commission mentions that there are multiple persons, networks, and IP addresses who did so. What we do know from the text of the decision of the NPC and from various news reports at the time is that there at least six persons and groups involved in the #COMELEAK incident:
- AnonymousPH, the hacktivist group who defaced the COMELEC website on March 27, 2016, and in a YouTube video published March 28, 2016 they touted how they did the defacement;
- LULZSec Pilipinas, another hacker community, claimed responsibility also on March 27, 2016 for the stealing of the database—“exfiltrating”—the COMELEC databases, uploading them into file sharing sites, and posting the download links for the public to access;
- Two young IT graduates, Paul Biteng (reported to have an alias "PhantomHacker Khalifa" in the shadowy Philippine hacking community) and Joenel de Asis, were arrested by the National Bureau of Investigation (NBI) Cybercrime Division for involvement in the #COMELEAK incident (there are claims that Biteng is affiliated with AnonymousPH while De Asis is allegedly affiliated with LULZSec Pilipinas);
- Unknown person or persons stole COMELEC databases on March 23, 2016, from inside the NBI network (whether they were NBI personnel is still undetermined); and,
- Other unknown person or persons who exfiltrated the COMELEC databases during the period from March 20 to 27, 2016.
IT experts describe the #COMELEAK exploitation in dire terms; "multiple counts of gang rape incidents" and "home-grown cyberterrorism" are two among the gravest of the analogies used to describe the #COMELEAK incident.
These IT experts are not exaggerating.
8. Who has copies of the stolen #COMELEAK databases?
Apart from the persons and groups mentioned above, there are at least more than eight exploiters of the #COMELEAK incident:
- Unknown person or persons with access to the Malacañang mail servers, who were torrenting the file (the identities of these persons are at this time undetermined), as well as at least six other persons using torrent clients, detected on April 22, 2016; and,
- The website "Philippines, We Have Your Data :b", who acquired the stolen databases through downloading from a filesharing website used by LULZSec Pilipinas, also detected on April 22, 2016.
We do not know, and there is no way to know, all the persons who have copies of the #COMELEAK databases, whether through exfiltration through the COMELEC vulnerability, through download links posted online by LULZSec Pilipinas and others, by torrenting from file-sharing sites, or simply by "sneakernet" real-life sharing between individuals who already have copies.
7. Could the #COMELEAK incidents and stolen databases have affected the elections?
“The COMELEC, in fact, protected the vote. The question is, in its zeal to protect the vote, did it fail to protect the voter?” – NPC Deputy Commissioner Dondi Mapa
The #COMELEAK databases on their own could not be used for election fraud; the Automated Election System ran on separate machines, servers, and networks. The stolen #COMELEAK data, if downloaded by political parties or representatives, would be useful only for planning election campaigns and advertising efforts.
Theoretically, if there was vote fraud, the downloads would be used to identify the precinct clusters where cheating (however cheating could be done) should be done and where cheating isn't necessary, thereby optimizing the efforts on the ground, lowering the probability of detection during the elections and canvassing, and the making impossible the discovery of any possible cheating during the random manual audit (discovery of cheating could only be done via a 100% re-feed of ballots).
However, barring a few exceptions, the public has accepted that the May 9, 2016 elections were credible, and that no fraud happened that could have affected the results. There is no doubt in anyone's mind that Rodrigo Duterte is the lawfully-elected President.
6. Does the #COMELEAK incident still have any effect on us today?
"The harm to data subjects arising out of a personal data breach are not immediately apparent; the danger exists nonetheless." - NPC decision
The #COMELEAK incident is catastrophic in its scope and its potential effects. All Filipinos who had records in the databases are at risk; their parents, their descendants, their legal representatives, their business dealings, their ability to travel, and their right to vote are at risk as well. Consider what was stolen:
- 75,302,683 records comprising the Precinct Finder web application voter database
- 1,376,067 records comprising the Post Finder web application voter database
- 139,301 records comprising the iRehistro registration database
- 896,992 personal data records comprising the firearms ban database
- 20,485 records of firearm serial numbers, also from the firearms ban database
- 1,267 records comprising the COMELEC personnel database
Among the risks identified by cybersecurity experts, experts in the security industry, and risk management practitioners include these:
- Risks related to identity theft for a voter, especially sensitive because of the compromise of passport and TIN information;
- Risks related to the identity theft for a voter’s descendants, given that part of a person’s PII includes the identity of his or her parents;
- Financial risks and potential of fraud through the compromise of TINs, profession information, and sector;
- Risks of electronic fraud associated with the compromise of e-mail address information;
- Security risks associated with identification of mailing addresses, gun ban exemption requests, ownership information, license number, and serial number of firearms; and,
- Risk of voter spoofing (the use of someone else’s identity to be able to vote).
This list of risks and threats to all of us is by no means comprehensive; the stolen #COMELEAK records could be collated in such a way that so many other potential risks and threats could come to fruition.
Even more worrisome is that the people most vulnerable to the risks, threats, and effects of the #COMELEAK disaster are those without access to the Internet, have no e-mail addresses, and other digital footprints. The 40% of the Philippine population who have no access to the Internet, primarily located in the rural areas of the provinces as well as the urban poor, are the most vulnerable to the risks associated with the #COMELEAK incident. Apart from the risks of crimes and fraud enabled by identity theft, there does exist risks like the loss of rights over the lands they own, or their salaries in their payroll ATM cards, or even being framed for crimes they did not commit, among other things.
These risks and threats will not go away, not for the lifetimes of the data subjects (meaning, us) and the lifetimes of the data subjects’ children. Because of #COMELEAK, we have to look over our shoulders for the next 75 years.
Thank you very much, Chairman Bautista.
5. Could the #COMELEAK incident have been prevented?
"The data hacking was most unfortunate, at hindi ito dapat nangyari. Pero kahit na sinong ahensya ng gobyerno ay pwedeng matamaan." - COMELEC Chairman Andres Bautista
"What is important is to impress upon everyone that the decision is based on the fact that we expect the head of the agency, the chief executive officer and the chairman of the commission, to implement these measures. There should be top management buy-in, and that responsibility ultimately falls on the head of the agency.” - NPC Deputy Commissioner Ivy Patdu
If Chairman Bautista provided direction for the COMELEC to comply with the Data Privacy Act and the Mandatory Biometrics Registration law; if COMELEC set up establishing end-to-end, top-to-bottom policies, procedures, and programs for information security management, risk management, breach management and breach D3RM (deterrence, detection, delay, response, and mitigation), security incident management, and other data privacy fundamentals...
If, if, if, and so many more “ifs,” “should haves,” and “could haves.” These things were not done.
The NPC is clear in its findings that COMELEC's cybersecurity efforts did not even have a modicum of best effort in data privacy protection, and the #COMELEAK vulnerability exploitations and database thefts were performed using the simplest of tools, exploiting the most ordinary of vulnerabilities.
The #COMELEAK was easy for the hackers, because COMELEC’s laxity made it easy.
4. What can be done about the stolen #COMELEAK databases?
"This Commission notes that once copies of a database containing personal and sensitive personal information are made freely available to the public, it is next to impossible to contain." - NPC decision
Realistically, there is nothing we can do about the stolen data now. Troy Hunt, cybersecurity expert, put it succinctly: “It’s too late for those in this breach.”
3. What is being done about those involved in the #COMELEAK incident?
“Should the focus not be on apprehending the hackers instead of punishing the hacked?" – COMELEC Chairman Andres Bautista
Contrary to Chairman Bautista’s implication that no efforts are being done to run after the #COMELEAK hackers, Biteng and De Asis are currently being prosecuted for the cyberattack. News reports have also been published about the NBI pursuing a third hacker, but as of this date there are no reports if this third hacker or anyone else has been caught and indicted.
The National Privacy Commission has alleged Chairman Bautista to be grossly negligent as the head of agency with regard to the COMELEC’s information security and the #COMELEAK incident, and is thus recommending his prosecution. The NPC has also recommended that the Department of Justice investigate the exfiltration performed using the NBI network; as of this writing, NBI spokesperson Ferdinand Lavin, concurrent deputy director for Forensic and Scientific Research Services, said the agency could not make an official comment until after they confer with their computer crimes division.
2. What is being done to prevent something like #COMELEAK from happening again?
"We have to accept the fact that our personal data is already out there. The danger is there even if it's not immediately apparent now. It's there. That's why this is an opportunity for the government, the private sector to please take data protection seriously." - NPC Deputy Commissioner Ivy Patdu
Our personal data is out there, and once out on the Internet it is there forever; the risks exist for while we live, and likely to last through the lifetime of our children.
Fortunately, there are efforts by government agencies, and by private organizations as well, to mitigate these risks.
The COMELEC has committed to following the recommendations of the NPC. They should have begun from as far back as 2011 or even earlier, or as soon as Chairman Bautista took office, but as the NPC decision stated, Chairman Bautista “had a lack of appreciation...that data protection is more than just implementation of security measures, but must begin from the time of collection of personal data, to its subsequent use and processing, up to its storage or destruction.” Malacañang has also not minced words in demanding action by the COMELEC.
Fortunately, the Bangko Sentral ng Pilipinas is much more aware and active. As early as April 25, 2016, when the “Philippines, We Have Your Data :b” website made the news, the BSP issued a circular ordering all banks to strengthen the identification procedures in bank transactions.
The Department of Information and Communications Technology (DICT) and the Cybercrime Information Coordinating Center (CICC) are in the process of drafting cybersecurity policies for the government and for the private sector.
All organs of government that collect information, from the barangay level upwards to the national level, must learn how to protect the information they collect from us, and while the National Privacy Commission is the lead agency to teach the government how to do this, it is imperative that all levels of government implement these privacy controls.
Otherwise, instead of minimizing the potential of recurrence, we can be certain that another kind of #COMELEAK will happen again.
1. How can we protect ourselves from the impact of #COMELEAK?
"You can minimize the threat of attacks on you through common sense and due diligence." – Democracy.Net.PH
As soon as the story came out, and particularly during the time the news of the #COMELEAK entered the news cycle went viral, many news organizations made the effort to educate the public on how to protect themselves. ICT advocates like Democracy.Net.PH also led in efforts to teach the public how best to defend themselves from the threat of identity theft because of the #COMELEAK.
Here are some basics on how to protect yourself:
- Knowing what are at risk, take immediate steps to strengthen online accounts:
- Immediately increase privacy and security levels for e-mail accounts, banking and financial portals, social network accounts and other user interfaces. Wherever possible, enable two-factor authentication (2FA) for your accounts.
- Immediately change all security questions and all answers to security questions to information that cannot be guessed from the compromised database.
- For better account security, ensure the use of synonyms and alphanumeric combinations for answers; for instance, an answer “baguio” is better typed “bagu10",” or even better, “B@gu!0”.
- For even better account security, use misdirective or erroneous answers that are not difficult to remember; for instance, if you use the question “what was the name of your first pet?” use the name of a former boss or teacher.
- When possible, and through the use of the telephone, make arrangements for your banks and similar institutions to contact you prior to any transaction being allowed to go through, or to have a means of allowing you to authenticate your transaction.
- Take steps to ensure the security of personal information may be the subject of identity theft:
- As soon as practicable, secure your authenticated NSO birth certificate and other identity certificates, and renew your NBI clearance to have basic identity information in case of a challenge due to identity theft attacks.
- If possible, renew identity cards (e.g., PRC and other IDs), passports, and licenses, as these are the documents typically compromised by identity theft attacks.
- Protect yourself from social engineering attacks:
- Do not open, share, or forward suspicious e-mails, or click suspicious links. Protect your computers with updated antivirus and firewall software.
- Do not share your personal information unless you absolutely trust the recipient.
Make sure to share your cybersecurity practices with your family and friends. The weakest link in an entire in-real life social network—families, friends, classmates, and officemates—is the one person who did not know protect himself or herself.
An ICT and civil rights advocacy movement, since 2012 Democracy.Net.PH has been actively involved in efforts to improve Philippine ICT legislation and policy development, measures to improve Internet connectivity access and penetration, quality of service, cyberdefense and cybersecurity, in cooperation with international, national, and local government and non-government organizations.
Engr. Pierre Tito Galla, PECE, is a co-founder and co-convener of Democracy.Net.PH. A professional electronics engineer with nearly two decades of training and experience in the ICT sector, Engr. Galla has helped spearhead and push various ICT-related measures, such as the proposed Magna Carta for Philippine Internet Freedom, the enactment of the Department of Information and Communications Technology law, draft regulations for quality of service standards for Internet connectivity, and cyberdefense, cybersecurity, and social media policies for the private sector and for national and local government agencies, the military, and law enforcement.