The database of the Philippine Commission on Elections (COMELEC) has been breached and the personal information of 55 million voters potentially exposed in what could rank as the worst ever government data breach anywhere.
The website of COMELEC was compromised on 27 March by Anonymous, before LulzSec Pilipinas stuck the database online days later.
It’s believed Anonymous’ motivation was to persuade the commission to switch on security features in the vote counting machines ahead of national elections on 9 May.
According to Trend Micro, which has a threat research center in the Philippines, COMELEC’s statement that there was no sensitive info in the database, is wide of the mark.
“Our research showed that massive records of PII, including fingerprints data were leaked. Included in the data COMELEC deemed public was a list of COMELEC officials that have admin accounts,” the firm said in a blog post.
“Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone. Interestingly, we also found a whopping 15.8 million records of fingerprints and a list of people running for office since the 2010 elections.”
Trend Micro warned that voters could be targeted in phishing or spear phishing attacks, BEC schemes, blackmail, extortion and more.
It added that the incident highlights once again the need for organizations to classify, segregate and protect data based on its sensitivity – under the watchful eye of a data protection officer.
“It will be crucial for companies to employ data protection officers, but even then it will be an uphill battle for various reasons, including cultural differences,” argued Trend Micro CTO, Raimund Genes.
“For example, In Germany, having a Data Protection Officer is necessary by law, but in other countries, it’s not. Companies might even think that they don’t need one.”
Regular security audits, user education, patching and breach contingency plans will all lower the chances of a breach and/or mitigate its effects.
If true, the 55 million figure – which amounts to every single registered voter in the Southeast Asian nation – will dwarf the United States OPM breach last year, which affected over 21 million government employees.