Philippines elections hack 'leaks voter data' By Leisha Chi

BBC reporter Published duration 11 April 2016

image copyright AFP image caption The Philippines is set to hold its general elections in May using automated machines for the third time

The Philippines may have suffered its worst-ever government data breach barely a month before its elections.

Personal information, including fingerprint data and passport information, belonging to around 70 million people is said to have been compromised by hackers.

The Philippine Commission on the Elections (Comelec) saw its website defaced at the end of March.

The Anonymous Philippines group has claimed responsibility for the attack.

The group said it sought to highlight "vulnerabilities" in the system, including the use of automated voting machines that will be used on 9 May.

A second hacker group called LulzSec Philippines is believed to have posted Comelec's entire database online several days later.

Comelec claims that no sensitive information was released, according to multiple reports.

However, cybersecurity firm Trend Micro believes the incident is the biggest government-related data breach in history and that authorities are downplaying the problem.

"Every registered voter in the Philippines is now susceptible to fraud and other risks," it said in a report.

image copyright Getty Images image caption Philippines president Benigno Aquino is set to step down after a six-year single term

Why the Philippines?

The Philippines general election takes place every six years and will see a new president, vice-president and more than 18,000 other officials voted into office.

Investors will closely be watching the polls given the Philippines is one of Asia's fastest-growing economies.

This is only the third time the South East Asian nation has held automated elections and Comelec has faced criticism that security is not tight enough.

Ryan Flores, a senior manager at Trend Micro, said the government's cybersecurity vulnerabilities could lead to the election being "sabotaged".

"One of the more sensitive issues is that the [leaked] database is the same for the automated system being used for the election," he told the BBC.

"Come election period, anyone who has ill intentions can modify the results."

That was one of the reasons Anonymous Philippines cited for hacking the Comelec website.

It posted a message saying "what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?"

How big is this leak?

Trend Micro believes the Philippines breach may surpass the 2015 hack of the US Office of Personnel Management.

That incident saw the data on 20 million US citizens, including fingerprints and social security numbers, stolen by unknown hackers. Data taken in that attack has, so far, not been found online.

Other high-profile targets in recent years where data has been stolen include online dating site Ashley Madison, US retailer Target and the entertainment arm of Sony.

The healthcare and education industries are the most affected by data breaches, according to Trend Micro.

Government agencies are the third biggest sector, followed by retail and financial industries.

image copyright Trend Micro image caption Healthcare is ranked by one firm as the industry most at risk from a cyber attack

What can be done to prevent similar attacks?

Mr Flores believes such breaches are likely to happen again, particularly in developing countries, and that "a stronger security mindset" was needed.

This includes the hiring of an information security team who would be responsible for highly sensitive data, as well as installing software that can track any irregularities in the network.

Mr Flores said countries like the Philippines "don't really have any agency or mandate in the government to improve their security posture".

"They have more pressing needs rather than digital security," he said. "Being a third world country plays into that."