A massive data breach appears to have left 55 million Philippine voters at much greater risk of identity fraud and more.
Security researchers warn that the entire database of the Philippines’ Commission on Elections (COMELEC) has been exposed in what appears to be the biggest government related data breach in history. The COMELEC website was compromised and defaced on 27 March by Anonymous Philippines before a second hacker group, LulzSec Pilipinas posted COMELEC’s entire database online days later.
All sorts of sensitive information – including passport information and fingerprint data – appears to have been included in the data dump. Some of the data was encrypted but there were some fields that were left wide open, according to a investigation by Trend Micro.
Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.
The data spill comes weeks before upcoming national elections in the Philippines, scheduled for 9 May. Anonymous Philippines warned COMELEC that it ought to harden the security of its vote-counting machines at the time the hacktivists defaced its website.
COMELEC officials are playing down the significance of the breach, telling local media that no sensitive information was accessed and that election-related systems will be run from a separate website.
“I want to emphasise that the database in our website is accessible to the public,” Comelec spokesperson James Jimene said, the Philippine Daily Inquirer reports. “There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” he added.
Government agencies are the third biggest sector affected by data breach, behind only retail and financial industries. “Regardless whether the hacking could affect the elections, there is still the issue of all voter information that was leaked,” according to Trend Micro.
In previous cases of data breach, stolen data has been used to access bank accounts or used to craft more convincing (spear) phishing or business email compromise scams and more.
The Filipino breach surpasses the US government’s Office of Personnel Management (OPM) hack last year that leaked personal identifiable information including fingerprints and social security numbers of 20 million US citizens. The number of records apparently spilled by the COMELEC leak also exceeds a periodically recycled Turkish data breach potentially affecting nearly 49 million Turks.
Chris Boyd, a senior malware intelligence analyst at Malwarebytes who has lived and worked in the Philippines, said the hack and subsequent breach are the product of a politically charged local hacking scene as well as widespread security flaws in the country’s infrastructure.
“There are a lot of talented hacking groups in the Philippines, and it's no surprise that a hack like this has happened. Whether in hospitals, airports, or shopping malls, every terminal you see there is running Windows XP,” Boyd told El Reg. “Additionally, most conversations at hacking events in the country tend to turn political, with many attendees frustrated with what they feel is underinvestment in the nation's security infrastructure.
"While individuals from the Government do attend security events in Manila and elsewhere, they still ultimately need someone to provide them with the money to do something about it - if nothing else, this hack may speed that process along a little.” ®