Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines’ Commission on Elections (COMELEC). While initial reports have downplayed the impact of the leak, our investigations showed a huge number of sensitive personally identifiable information (PII)--including passport information and fingerprint data--were included in the data dump.

Following the defacement of the COMELEC website on March 27 by a hacker group, a second hacker group posted COMELEC’s entire database online. Within the day, they added three more mirror links where the database could be downloaded. With 55 million registered voters in the Philippines, this leak may turn out as one of the biggest government-related data breaches in history, surpassing the Office of Personnel Management (OPM) hack last 2015 that leaked PII, including fingerprints and social security numbers (SSN) of 20 million US citizens.

Election Tension

With the upcoming Philippine national elections on May 9, the incident puts further pressure on the COMELEC and their Automated Voting System (AVS). The first hacker group gave a stern warning for COMELEC to implement the security features of the vote counting machines. However, the actions done by the second hacker group have exposed COMELEC's weaknesses in terms of network and data security.

In a statement, COMELEC spokesperson James Jimenez admits that the security of the website is not high. However, he pointed out that the AVS ran on a different, more secure network and that the recent hack will not affect the machines. Jimenez is confident of the security features of the AVS and reassures involved publics that things will go smoothly during the elections.

There are, however, discrepancies in the statements made and our findings. COMELEC officials claimed that there were no sensitive information stored in the database. However, our research showed that massive records of PII, including fingerprints data were leaked. Included in the data COMELEC deemed public was a list of COMELEC officials that have admin accounts.

"VOTESOBTAINED"

Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections.

In addition, among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure.

The COMELEC website also shows real time ballot count during the actual elections. While COMELEC claims that this function will be done using a different website, we can only speculate if actual data will be placed here during the elections and if tampering with the data would affect the ballot count.

Every registered citizen at risk

Regardless whether the hacking could affect the elections, there is still the issue of all voter information that was leaked. Reports stated that while some of the data were encrypted, there were some fields that were left wide open.

Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more.

Data Classification and defending against data breaches

Data breach incidents make daily headlines and affects businesses (whether enterprises or small and medium-sized businesses) from various industries and large organizations. According to our research paper, Follow the Data: Dissecting Data Breaches and Debunking Myths government agencies are the third biggest sector affected by data breach, followed by retail and financial industries. Healthcare and education are the top and second-most affected industries, respectively.

The recent security incidents highlighted the need for stronger security mindset and data classification, given the possible impact of the breach to voters. This also brings to the fore the importance of having data protection officers that would be responsible for the legal requirements as well as securing all types of crown jewels or highly sensitive data of organizations.

“It will be crucial for companies to employ Data Protection Officers, but even then it will be an uphill battle for various reasons, including cultural differences. For example, In Germany, having a Data Protection Officers is necessary by law, but in other countries, it’s not. Companies might even think that they don’t need one,” shares Raimund Genes, Chief Technology Officer for Trend Micro.

Organizations and companies take a heavy hit with each case of data breach, but those who are truly at risk are the owners of the stolen data. As such, instilling a security mindset should be essential when dealing with important data. In the case of COMELEC, companies and organizations should practice data classification. Data classification is done to segregate data of varying sensitivity and applying appropriate protection to each category:

High Sensitivity – Data such as voter database falls under high sensitivity data, which are confidential and restricted. High sensitivity data, when stolen, may cause damage or harm to one or more individuals.

Medium Sensitivity – this data is usually for internal public only. The COMELEC leak does not appear to have leaked medium sensitivity data, but examples of which include company emails and documents.

Low Sensitivity – these data are usually made public and unrestricted. In the leak, low sensitivity data includes the candidate list and their information. Loss of this data type is not considered critical.

After classifying the data, the next step is to defend them. Methods vary depending on the data, how it’s stored, and who can access it. Sensitive data needs to be stored in a separate or disconnected network and needs higher security clearance to be accessed.

Here are other ways to prevent and defend against data breaches:

Patching systems and network accordingly – regular patching and updating of systems can prevent cybercriminals from exploiting vulnerabilities which can open the doors to your networks.

Educate and enforce – employees must be trained to respond to threats, know social engineering tactics, and know how to enforce guidelines on how to handle specific situations.

Implement security measures – create processes that can identify and address network threats. Regularly conduct security audits to make sure all systems connected to the network are secured.

Create contingencies – in case of a data breach, an appropriate response plan must be put into action. This is to minimize confusion by being ready with persons to contact, steps to mitigate the damage, and strategies to disclose the incident to relevant publics.

End point solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect companies and organizations by detecting malicious files that are used as infiltration methods during data breaches. We also secure enterprises via our Trend Micro Network Defense and Hybrid Cloud Security solutions, which detect and prevent breaches anywhere on your network to protect an organization’s critical data and reputation.