“Comeleak”: Identity Theft and Election Fraud

Screengrab of the April 23 front page of the Philippine Daily Inquirer.

CHEERS TO several news organizations for quickly cautioning the public on the perils of the massive security leak of the Commission of Elections (Comelec) website that exposed the personal information of around 55 million Filipino voters. A website that contained a searchable database of voters’ information surfaced online on April 21, raising fears that data from the site could be used for identity theft and even election fraud. Public outrage flooded social media the following day as individuals who searched for their names in the website confirmed that the information posted on the site was accurate.

GMA News and ABS-CBN News posted tips from Democracy.Net.PH, an ICT rights advocacy organization, on how the public can protect itself from identity theft. These tips include changing passwords and security questions on online accounts, securing authenticated documents and even renewing ID cards. Rappler also published a report with tips from IT experts on securing personal accounts which were likely compromised by the data leak.

On April 23, the Philippine Daily Inquirer ran a banner story specifying identity theft as the biggest threat from the leak (“55M at risk in ‘Comeleak’”). It also cited the possibility of election fraud using the leaked information as the data can be used for so-called flying voting. The Inquirer also ran a story the same day with tips on how to minimize the risk of identity theft in banks (“Leak alarms banks; BSP urges tighter measures”).

Prior to the website leak, two consecutive hacking incidents of the Comelec website had already been reported in late March. The first was by the hacktivist group Anonymous Philippines, which defaced the Comelec site on March 27 as a call to the Comelec to implement the security features of the vote-counting machines, primarily the issuance of voters’ receipt, in the upcoming elections.

The second incident happened shortly after the first, and was more alarming. Another hacker group, LulzSec Pilipinas, hacked into the database of the Comelec website and leaked the encrypted data to three download mirror sites. These mirrors were made public through a Facebook post.

No Sensitive Information?

Media reports initially centered on the Comelec’s downplaying the incident by saying that there was no sensitive information included in the March 27 leak. Comelec spokesperson James Jimenez said that while the hackers were able to secure a copy of the voters’ master list, it is not a substantial threat since the list is publicly displayed in the website anyway.

Notable among the reports was Rappler’s April 1 article which was first to challenge Comelec’s claims (“Experts fear identity theft, scams due to Comelec leak”). Rappler checked the data leaked by LulzSec and reported that personal information on voters was indeed included in the data dump. These data were encrypted but can still be deciphered. Rappler also interviewed IT experts who claimed that the voters’ data leaked by the hackers were “identifiable data.” The report noted that identity theft by using the leaked information from the Comelec database is indeed possible.

This could be the biggest government-related data breach in history and because of the extent of the leak, it is morphing into a major electoral concern as Election Day nears. The media would, therefore, be doing an even better job by following further developments especially as they impact on the conduct and credibility of the 2016 elections and on Comelec accountability.