Commission on Election Chairman Andres Bautista is seen during Senate Committee on Local Government hearing at the Senate in Pasay City, Metro Manila on 24 August 2016. The Senate is looking into extending the term of office of elected barangay officials to five years. Voltaire Domingo, NPPA Images

(UPDATED) - The National Privacy Commission is recommending criminal charges against Commission on Elections Chairman J. Andres D. Bautista for the data breach that saw personal data of 1.3 million overseas Filipino voters, including their passport information, as well as fingerprints of 15.8 million people leaked on the internet.

"We have already forwarded the decision to the Secretary of Justice," said NPC Deputy Commissioner Ivy Patdu.

In its decision dated December 28, 2016, the NPC said it found the Comelec guilty of several violations of the Data Privacy Act of 2012 for the data leak that occurred between 20 and 27 of March last year.

Specifically, it said Comelec violated Sections 11, 20, 21,22 and 26 of the Data Privacy Act concerning security of personal information, accountability, and accessing of personal information and sensitive personal information, with penalties of 1-3 years jail time and fines of up to P500,000.



The commission however cleared from criminal liability Comelec Commissioners Christian Robert Lim and Al Parreño, executive director Jose Tolentino Jr., poll body spokesperson James Arthur Jimenez, and information technology officers Ferdinand de Leon, Jeannie Flororita and Eden Bolo.

"We did not say that Chairman Bautista was found guilty. We have substantial evidence to recommend prosecution for the crime under section 26. For the others, we did not have sufficient evidence that would warrant a finding that the acts they have committed are tantamount to the negligence contemplated by the crime as defined by the Data Privacy Act," Patdu explained.

Global security software company Trend Micro earlier said the data dump of the Comelec's entire database online "may turn out as the biggest government related data breach in history."



It earlier warned that criminals can use the leaked personal information of Filipino voters for extortion and other illegal activities.

A group claiming to be Anonymous Philippines earlier defaced the Comelec's website, demanding that the poll body implement the security features of the vote-counting machines for the May 9, 2016 elections.

NPC Commissioner Raymond Liboro said personal data of millions of voters in the breach are contained in several databases kept in the website.



This involves 75,302,683 records in the Precinct Finder web application; 1,376,067 in the Post Finder web application of Filipinos living overseas; 139,301 in the iRehistro registration database; 896,992 personal data records in the firearms ban database and 20,485 records of firearms serial numbers; and 1,267 records of Comelec personnel.



"It is now globally recognized that this incident is the worst recorded breach in the government held personal data base in the world, based on sheer volume," Liboro said.



Patdu added that the commission's decision was not only based on information provided by the Comelec.

The NPC also called in the National Bureau of Investigation, the Department of Foreign Affairs, the Philippine National Police and even the telco provider.



"We conducted the investigation involving everyone we thought was relevant to the case. Voluminous yung records na nasubmit dito. We looked into the resolutions that they passed. We looked into the security measures that they implemented and from those this is the decision we decided after evaluation of the evidence," Patdu said.



"We have to accept the fact that our personal data is already out there. The danger is there even if It’s not immediately apparent now. It's there. That's why this is an opportunity for the government, the private sector to please take data protection seriously."

A group claiming to be Anonymous Philippines earlier claimed to have defaced the Comelec's website, demanding that the poll body implement the security features of the vote-counting machines for the May 9, 2016 elections.

Another group, LulzSec, said it leaked online 340 gigabytes of the Comelec database.

Bautista earlier said the hackers failed to access any confidential information that may derail the 2016 elections. He also admitted that details from "passports of certain overseas Filipino voters" were leaked.

At least two suspects have been arrested by the National Bureau of Information for the Comelec data breach.

DATA PROTECTION OFFICER

In its decision, the NPC ordered Comelec and Bautista to make corrective measures by appointing a data protection officer within one month from receipt of the decision; conduct a privacy impact assessment within two months from receipt of the decision; create a privacy management program within three months from receipt of the decision; create a breach management procedure within three months from receipt of the decision; implement organizational, physical and technical security measures within six months from receipt of the decision.

"Also, this commission further orders the respondents Commission on Elections and Comelec Chairman Bautista to cause the conduct of an independent security audit of all its personal data, processing systems including those hosted by service providers within 3 months from receipt of the decision and conduct a similar audit annually for the next 5 years," the decision stated.

It also orders the Comelec and Bautista to report to the NPC every six months for five years from receipt of the decision.