Report on Comelec hacking flawed — but flags Election 2022 digital vulnerabilities

JEERS TO the Manila Bulletin for its breaking news report on the alleged hacking of Comelec’s servers, which it claimed to have verified. But the report did not detail its verification process. The report did not include Comelec’s reaction to it. 

In a report published on January 10, the Bulletin said that a “source” contacted them on January 8, telling them that  the Comelec servers were being hacked. The organization’s tech team claimed that they verified the information and “discovered” that sensitive data had supposedly been downloaded by hackers, among them “usernames and PINS of vote-counting machines” and “network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with login and password.” 

The news organization said that it informed Comelec Spokesperson James Jimenez about its findings and that he said he would raise the concern to the Comelec Steering Committee.

Comelec denied the claim in a press conference on January 10, saying that the downloaded data were not yet online. The commission also questioned Bulletin’s process of verification. Interestingly, some news organizations like Rappler, ANC and ONE News also questioned Bulletin on the same point, interviewing editor Art Samaniego about the story.  There was, however, no expansion of the sourcing to include information technology experts who could have provided more independent assessment. 

Nevertheless, the report should alert the media and the public on the possible digital security threats to the elections especially since several incidents in the past bared  these vulnerabilities – the 2016 Comeleak data breach, which compromised the personal data of 55 million Filipino voters; and the seven-hour lull in the data transmission from the vote counting machines to the transparency server during the 2016 elections. 

Whatever its deficiencies, the Bulletin report flagged the vulnerability of election data to hacking, a matter of security that Comelec needs to guarantee and the media should continue to closely scrutinize before May 2022.