After a computer at the Office of the Election Officer (OEO) in Wao, Lanao del Sur was stolen last January 11, 2017, the National Privacy Commission (NPC) ordered the Commission on Elections (COMELEC) to take serious steps to address its vulnerabilities. Are we looking at Comeleak Part 2?
Let me start with the facts surrounding the robbery then add my perspective.
Here is a timeline of events.
January 11 – The COMELEC office in Wao, Lanao del Sur, was ransacked by unknown persons while Casan T. Laguindab, Election Officer III, was attending a training seminar in Marawi City.
January 12 – An employee of the Municipality of Wao, Madelyn T. Abao, who was detailed at the COMELEC office for Wao, Lanao del Sur, reported the theft to the Officer-in-Charge of the Wao Municipal Police Station.
January 25 – The Information Technology Department (ITD) issued a Memorandum directed to COMELEC Executive Director Jose M. Tolentino, Jr. recommending that notice be sent to the National Privacy Commission.
January 28 – The COMELEC informed the NPC that there was a data breach involving the Wao, Lanao del Sur Computerized Voters List.
January 30 – The NPC required the COMELEC to furnish, within five (5) days, the full report of the data breach, and to comply with the requirements of NPC Circular No. 16-03 on Personal Data Breach Management.
February 3 – COMELEC submitted their report on the January 2017 Wao data breach.
February 8 – NPC starts probe and conducts a systems investigation in the COMELEC to help the NPC determine the scope and extent of the data breach.
February 13 – Based on the report from the Investigating Team, the NPC issued a Compliance Order requiring the COMELEC to take remedial action on the data breach.
At present – The investigation is still ongoing so there are still no findings on liability
What data was on the stolen computer?
According to COMELEC, the computer contained the following:
- Voter Registration System (VRS) – the application used by Election Officers (EO) to encode the demographic data and capture biometrics of registrants. The VRS produces a list of registered voters for the Municipality of Wao.
- Voter Search (VS) – the application that uses the National List of Registered Voters to determine if an applicant is already registered in the same or another municipality/city so that the EO can advise applicant as to the type of application he should file (Registration, Reactivation, Transfer/Transfer with Reactivation, Change/Correction of Entries, or Inclusion/Reinstatement of Records in the List of Voters)
- National List of Registered Voters (NLRV) – the database that has demographics data only (no biometrics data) of all registered voters in the country (active and deactivated).
How many registered voters are affected by the data breach?
The data breach exposed information found in the NLRV and the Voter Search application as well as detailed voter registration records of registered voters from Wao, Lanao del Sur.
Wao has 58,364 registered voters. 40,991 (as of October 18, 2016) are for the barangay elections; 17,373 (as of September 13, 2016 are for the Sangguniang Kabataan (SK) elections. 35,491 of those for barangay elections are active while 5,500 are deactivated. For SK elections, 17,336 are active records while 37 are deactivated.
The NLRV contains approximately 75,898,336 records as of October 17, 2016. 55,195,674 of these are active records while 20,703,662 are deactivated.
COMELEC, in its report to the NPC, stated that the personal information in both the VRS and the NLRV have been encrypted using AES-256 encryption since October 17, 2016.
Has COMELEC taken additional steps after the incident?
COMELEC and NPC have already moved to mitigate the risks posed by the data breach including requiring biometrics authentication (aside from user ID and password) prior to access to the VRS and NLRV, considerations for CCTV cameras in all field offices, limiting physical and digital access to personal data, and mandatory changing of passwords regularly.
In its initial probe, the NPC discovered that all COMELEC field offices maintain their own soft copies of the entire NLRV database containing the personal information of roughly 55 million voters. In a Compliance Order dated February 13, 2017, NPC directed COMELEC to erase all copies of the NLRV in those computers. Eventually, only a limited number of personal data will be captured by the NLRV database — Name, place of registration, birthday and status of registration. Registration forms will be streamlined as well and unnecessary fields such as height, weight, and education attainment will be eliminated.
In the same Compliance Order, NPC also tasked COMELEC to inform all those affected by the personal data breach within two weeks and to submit to NPC its “proposed and implemented revisions” in the voter registration process, considering the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other related NPC circulars.
What are some of my observations regarding the data breach?
On the time it took to inform authorities
NPC Commissioner Raymund Liboro, in a press conference earlier, mentioned that it took two weeks since the computer was stolen for COMELEC to inform NPC. COMELEC’s Tolentino, at the same press conference, said that COMELEC’s mindset was on the operational aspect of the registration process – to act to replace the stolen computer so that the registration process in Wao would not be disrupted.
Personally, I believe that COMELEC’s mindset needs some reorientation when it comes to data privacy incidents. Yahoo, for example, suffered a backlash from security experts and the public when it only disclosed a late 2014 breach in September 2016 — two years later. A second Yahoo data breach in August 2013 was also only reported December 2016. Just a few days ago, Yahoo reportedly sent account holders warnings about malicious hacks related to a third data breach that the company disclosed late 2016. The result of such late disclosures are eroding confidence in what was a very popular email provider. COMELEC cannot afford any more data breaches as it may result in an erosion of public trust in how it safeguards sensitive voter information.
On the NLRV database being kept in all COMELEC field offices
This bit of information was quite alarming. Everyone’s personal information provided to COMELEC resided in every COMELEC field office’s computer! So much of that information was not relevant to, or needed by, the field office level. Why was our information duplicated across the field offices?
We were aghast last year over Comeleak because it was a hack directly into COMELEC Central which exposed, among others, the information on the NLRV database. And yet here were NLRV soft copies sitting in different field offices with no assurance as to how these copies were being secured.
It was right for NPC, in its Compliance Order, to order the erasure of the NLRV from these field offices’ computers if they could not secure them. With the Data Privacy Act in place, personal sensitive information we gave to COMELEC must be accessible only on a “need to know” basis.
On AES-256 encryption
COMELEC said that its NLRV and VRS are encrypted using AES-256 encryption. It appears that NPC’s advice to COMELEC to use AES-256 encryption is a good one. So far, there is no known incidence pointing to AES being cracked. It’s currently the gold standard for governments and businesses that need to place a great deal of faith that its security key can never be broken.
This is not to say that COMELEC can afford to be complacent. Security people say that cracking a security key is not a case of IF but WHEN. NPC will continue to play an important role in terms of staying up to date with security developments so it can recommend, and require, when needed, the most appropriate tools, processes, and persons needed to maintain the strictest data privacy over voter information.
In COMELEC’S memorandum to NPC dated February 3, 2017, they described the consequences of the personal data breach in this way “If the robber will be able to gain access to the VRS, and to decrypt the VRS and the NLRV data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended.”
We are all exposed already to threats from phishing, identity theft, hacking, viruses, malware and more because of our online presence. And yes, astute hackers with the right tools will still be able to hack into government sites. However, it behooves a government agency, holding our static (permanent) personal sensitive information, to do everything in its power to make it more difficult to access that data. The security actions may not be 100% hack-proof but you also don’t want to make it easier for hackers.
I truly hope this is the last COMELEC data breach. What do we do now that our personal information is out in the dark web? We can only do partial remedial action because we can change passwords but we cannot change our birth date or mother’s name. If you want some tips on what to do to start protecting yourself online, here is my 2-part article which I released before the Christmas break last year.
This post is supported by a writing grant from the Philippine Center for Investigative Journalism (PCIJ).