Philippines’ Commission on Elections found liable for data breach

The Philippines’ National Privacy Commission (NPC) has found the Commission on Elections (Comelec) liable for the data breach at its voter database last March. Comelec Chairman J. Andres D. Bautista will face criminal charges for the negligence.

In a ruling signed last December 28, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures. 

“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the decision reads.

The hacking incident last March leaked the entire database of the Comelec and exposed data of 55 million Philippine voters, making them susceptible to fraud and other risks. While the agency downplayed the incident, security firms say otherwise.

Trend Micro’s own investigation into the leak showed that the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. It said there was also 15.8 million record of fingerprints and a list of people running for office since the 2010 elections.

In its ruling, the NPC confirmed that the incident was the worst recorded breach on a government-held personal database in the world, based on sheer volume. It also stated that that the Comelec violated Sections 11, 20 and 21 of the Republic Act No. 10173 in the dispense of the agency’s duty as “personal information controller.”  

The NPC noted that personal data in the breach is contained in several databases kept on the website: the voter database in the Precinct Finder web application, containing 75.3 million records;  the voter database in the Post Finder web application, which contains 1.3 million records; the iRehistro registration database, with 139,301 records;  the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and he COMELEC personnel database, containing records of 1,267 Comelec personnel.

The NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in Comelec’s two web-based applications - the voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time. 

As corrective measures, the NPC has ordered the Comelec and Bautista to appoint a Data Protection Officer in one month’s time from receipt of the decision. 

It was also ordered to conduct an agency-wide Privacy Impact Assessment within two months, and create a Privacy Management Program and a Breach Management Procedure within three months. 

Within six months, the Comelec should implement organizational, physical and technical security measures in compliance with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.

The NPC has also recommended to the Secretary of Justice “further investigation for possible prosecution” under the Cybercrime Prevention Act, having found that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI).

The NPC is a regulatory and quasi-judicial body created in March 2016 by virtue of the Data Privacy Act of 2012.