January 12, 2017 -
The Philippines’ National Privacy Commission (NPC) ruled that the Commission on Elections (Comelec) should be held liable for the data breach at its voter database last March, according to a report by eGov Innovation.
As part of the NPC’s decision, Comelec chairman J. Andres D. Bautista will face criminal charges for the negligence.
In a ruling signed on December 28, 2016, the NPC emphasized Bautista’s “lack of appreciation” regarding of the notion that data protection is more than just the implementation of security measures.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the NPC wrote in its decision.
The hack, which occurred last March, leaked the Comelec’s entire database and exposed the data of 55 million Philippine voters,making them vulnerable to fraud and other risks.
The agency consistently downplayed the hack, however, security firms emphasized the severity of the incident.
An investigation by Trend Micro into the leak found that the data dumps include 1.3 million records of overseas Filipino voters, including their passport numbers and expiry dates.
Trend Micro said the database also held 15.8 million fingerprint records and a list of electoral candidates since the 2010 elections.
The NPC called the incident the worst recorded breach on a government-held personal database in the world, in terms of volume, as well as revealed that that the Comelec violated Sections 11, 20 and 21 of the Republic Act No. 10173 in regards to the agency’s duty as “personal information controller.”
The NPC said the personal data in the breach is stored on several databases kept on the website, including the voter database in the Precinct Finder web application, which contains 75.3 million records; the voter database in the Post Finder web application, which contains 1.3 million records; the iRehistro registration database, with 139,301 records; the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and the Comelec personnel database, containing records of 1,267 Comelec personnel.
The NPC decision also provided a full overview of the types of compromised sensitive personal information were contained in Comelec’s two web-based applications, which included the voter’s full name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.
In response, the NPC has called on the Comelec and Bautista to name a data protection officer within a month of receiving the decision.
The NPC also ordered to conduct an agency-wide Privacy Impact Assessment within two months, and establish a Privacy Management Program and a Breach Management Procedure within three months.
Over the course of the next six months, the Comelec should adopt organizational, physical and technical security measures that comply with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular No. 16-01, on Security of Personal Data in Government Agencies.
The NPC also requested the Secretary of Justice to conduct “further investigation for possible prosecution” under the Cybercrime Prevention Act, after discovering that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI