Night view of Makati the business district of Metro Manila showing data breach of Comelec

Reported Comelec Data Breach Provides Attackers With Inside Information on Philippines Election Systems; Election Body Claims Nothing Happened

Manila Bulletin, the largest English-language newspaper in the Philippines, says that a serious data breach of the country’s Commission on Elections (Comelec) occurred. This breach essentially includes a roadmap of the internal workings of all of the country’s election systems, including admin credentials, as well as lists of overseas absentee voters. Comelec called it “fake news” and claimed that it never happened.

The Manila Bulletin Technews report is based on an anonymous source that tipped off reporters, and appears to have provided the newspaper with files that show usernames and PINS of vote-counting machines (VCM). The paper reports that about 60 GB of data was stolen in total and that it contains admin login passwords, network diagrams and direct access to the ballot handling dashboard among other highly sensitive items.

Comelec denies crippling data breach happened; newspaper says it has receipts

Founded in 1900, the Manila Bulletin is one of the longest-tenured and most reputable papers in the region, not prone to print unfounded tabloid reporting. The documents provided by the source have not been made public, but the country’s federal cyber crime agency has confirmed that the paper has voluntarily turned over files to it and it has found reason to open an investigation into the matter.

The Philippine general election is coming up in early May, with incumbent president Rodriguo Duterte forced to step down due to term limits. A field of about a dozen candidates in the presidential election includes celebrity boxer Manny Pacquiao (a current member of the Senate), Bongbong Marcos (son of former authoritarian president Ferdinand Marcos) and daughter of the current president Sara Duterte. Rodriguo Duterte is also running for the position of vice president, elected separately from the president’s ticket.

If it did in fact occur as the newspaper reports, the Comelec data breach could throw this entire enterprise into chaos. The 60 gigabytes of data allegedly stolen from the agency opens up multiple possibilities for outside agents breaching the voting systems and going so far as to directly change vote totals. The stolen data includes network diagrams, IP addresses, lists of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with logins and passwords, lists of overseas absentee voters, locations of all voting precincts with details of each board of canvassers, all configuration lists of the database, and lists of all user accounts of Comelec personnel, according to the paper.

The Bulletin says that the anonymous source approached them about an ongoing data breach at Comelec on January 8. Reporters say they confirmed the legitimacy of the breach and contacted spokesperson James Jimenez of the Comelec Steering Committee about it, but did not receive an immediate reply.

Potential data breach draws attention of federal agencies despite comelec denial

The National Privacy Commission (NPC) has summoned Comelec and the Manila Bulletin to a January 25 teleconference to clarify the issue. NPC Commissioner John Henry Naga issued a statement indicating the commission will ask Comelec to address the allegations made in the report and verify that no personal information was leaked in the data breach. The incident could represent a violation of the nation’s Data Privacy Act. Comelec will also need to present the findings from its own internal investigation at the meeting.

Comelec Commissioner Rowena Guanzon maintains the organization’s stance that the report is “fake news.” Comelec spokesperson Jimenez has also since issued a statement saying that the organization is “confident” that a data breach did not occur. Jimenez also told the media that some of the items that were reported stolen, such as lists of voters and PIN numbers, are not available online.

In a later interview with the news network ANC, Bulletin Tech News Editor Art Samaniego Jr. indicated that the information was provided to the paper by “white hat hackers.”

The issue has gained some traction given that it is not the first data breach to appear ahead of an election in recent years. In 2016, the year in which Duterte won the presidency, Comelec experienced a data breach two months before the election that saw a database of registered voters leaked to the public. It remains the biggest data breach in the country’s history and one of the biggest in the world involving a government agency.

Comelec has also been dogged by scandal in recent months, accused of giving a logistics company headed up by a political ally of the president preferential treatment. The company was selected for a $32.3 million contract to handle the voting equipment and ballots for the 2022 election.

Comelec has asked the National Bureau of Investigation (NBI) to open a secondary probe into the incident. This began on January 15 with a physical inspection of the security at Comelec’s headquarters in Laguna.

The charge has some political support, with Senator Panfilo “Ping” Lacson (a potential presidential candidate) calling for Comelec to investigate all possibilities including a potential “inside job.”