Banks alerted vs ‘misuse’ of stolen Comelec data

By Luis Leoncio

The Bangko Sentral ng Pilipinas (BSP), raising alarm over the wide-scale hacking of the voters’ database of the Commission on Elections (Comelec), has issued a memorandum to all local banks to strengthen their know-your-customer (KYC) practices and strictly apply these in every transaction they make to prevent the misuse of the stolen information for spurious financial transactions.

The sensitive information includes fingerprints and other data of 54.3 million Filipino registered voters.

“Relative to the reported unauthorized disclosure of voters’ registration records of the Commission on Elections, all BSP-supervised financial institutions are enjoined to strengthen their KYC practices and exercise extra vigilance against possible misuse of said information for financial transactions,” BSP Deputy Gov. Nestor A. Espenilla Jr. said in the memorandum.

“Customer-identification procedures of BSP-supervised financial institutions that rely on static information

that may be obtained from the disclosed Comelec records should be supplemented by requests for additional proof or secondary information to establish the true identity of new and existing clients,” the memo added.

The personal data of more than 54.3 million Filipino registered voters have been compromised or exposed in a breach of the Comelec database on March 27 by a group that identified itself as Anonymous Philippines.

In the initial report about the hacking, it was said the Comelec homepage was defaced with a message accusing the poll body of not doing enough to ensure the security of voting machines to be used in the country’s coming elections.

“One of the processes by which people exercise their sovereignty is through voting in an election,” the message read. “But what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?”

One of the suspected members of the hacking group, new information technology (IT) graduate identified as Paul Biteng of Manila, has been arrested by the National Bureau of Investigation and is now being questioned.

The Philippine Daily Inquirer reported that he has “confessed,” initially saying boredom made him do it. He also said the hacking was meant to “give voice to the voiceless.”

At the time of the hacking, Biteng said the burning issue was the Comelec’s refusal to ensure that the vote-counting machines would have four safety measures and that there would be vote receipts in the elections.

“The government did not think it was necessary to do these things. But these are safety measures to ensure that there would be no cheating (on Election Day). Since I was bored that day, I thought I should give voice to the voiceless,” Biteng was quoted as having said.

The confessed hacker said he started his “operation” on March 18, involving the cracking of computer codes or spotting the Comelec’s website “errors.”

Two days later, Biteng shared his information with fellow hackers, apparently from Anonymous Philippinesand by March 27, the Comelec website had been defaced and the voters’ data leaked.

But Biteng said the leakage was never part of the plan. He said he did not know why the other hackers leaked the data “because my plan was only to deface the site and get my message across.”

The leakage was traced to LulzSec Pilipinas, which posted an online link to what it claimed was the entire database of Comelec.

The release of the data, including the fingerprints and addresses of voters, prompted alarms over the possibility of these being used to commit election fraud and cybercrimes such as extortion and hacking of financial accounts.

A week after the hacking, a blog post from Japanese security vendor Trend Micro, expressed similar concerns about the data dump that was extracted from the Comelec.

IT experts called the breach the biggest-ever case of hacking of government data.

Trend Micro said the trove of sensitive personal data from the Comelec database now out in the open leaves every registered voter susceptible to identity theft and fraud.

Computer experts said the Comelec could be held accountable under Republic Act 10173, or the Data Privacy Law.

Earlier, the Comelec, in a statement, tried to downplay the hacking. Spokesman James Jimenez said that “no sensitive information” was hacked.

“We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” Jimenez said.

But Trend Micro said in a report that its investigations “showed a huge number of sensitive personally identifiable information (PII)—including passport information and fingerprint data—were included in the data dump.”

According to Trend Micro, the hacking covered a huge amount of very sensitive personal data, including the fingerprints of 54.3 million people, their passport numbers and expiry dates.

That makes this hack potentially the “biggest government-related data breach in history,” said Trend Micro, “surpassing the Office of Personnel Management (OPM) hack in 2015 that leaked PII, including fingerprints and social security numbers (SSN) of 20 million US citizens.”

It even exceeds the recent record-breaking release of personal information from the Turkish citizenship database, which contained records of 49 million people, the population of half the country.

Trend Micro said the hacking leaves citizens open to risk from crime.

“Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data have been used to access bank accounts, gather further information about specific persons, used as leverage for spear-phishing e-mail or BEC (business e-mail compromise) schemes, blackmail or extortion, and much more,” it added.

Earlier, cybersecurity firm FireEye, which has been hired to investigate the $81-million heist against Bangladesh Bank, expressed fears that Philippine firms were “twice likely to face advanced cyberattacks than the worldwide average,” because of the country’s outmoded cybersecurity platforms.

An analysis of the Philippines’s capability showed it was 30 percent likely to be a victim of cyberattack, which is twice the worldwide average of 15 percent, the company said.