Philippines’ NPC provides more insight into COMELEC breach ruling
Philippines’ National Privacy Commission (NPC) recently provided greater insight into its decision that the Commission on Elections‘ (COMELEC) be held liable for a massive breach of its voter database last March, according to a report by The Manila Times.
The database breach resulted in the leak of millions of voters personal identifiable information, including passport information and fingerprint data.
The NPC recently ruled that the COMELEC should be held liable for the database breach with COMELEC chairman J. Andres D. Bautista set to face criminal charges for the negligence.
In its report, the NPC found the COMELEC in violation of several provisions of the Data Privacy Act. For instance, despite COMELEC’s claims that its website and the public-facing applications — Precinct Finder and Post Finder — had several security measures in place, the NPC discovered that they all contained flaws which were exploited by Anonymous Ph and LulSecPinas.
Additionally, the COMELEC claimed that its information infrastructure was protected by three layers of firewalls and intrusion detection systems. However, the NPC did not detect the exfiltration of databases in its investigation and further discovered that the COMELEC left data traffic unmonitored during the period of exfiltration.
The investigation found that COMELEC had not implemented any data protection policies and programs, nor had it assigned a data protection officer to oversee these responsibilities.
The COMELEC did not implement any of the security measures it claimed to put in place until after the database breach had happened.
To make matters worse, the Commission tried to conceal the scope and magnitude of the database breach and leak by actively downplaying the incident. In its official statement, the COMELEC questioned the accuracy of the data illegally accessed and copied.
The Commission also delayed alerting the NPC of the incident, which directly violated the mandatory reporting requirement of the Data Privacy Act.
Following its investigation, the NPC has ordered the COMELEC to assign a Data Protection Officer, perform a privacy impact assessment, develop a comprehensive privacy management program, create a breach management procedure, and implement organizational, physical and technical security measures.
The recommendations are all intended to provide COMELEC with stronger security measures to protect personally identifiable and sensitive data