THE National Privacy Commission on Monday asked the Commission on Elections to take “serious” steps to address the second large-scale data breach of the country’s 55,195,674 voters.
At a news conference at the Department of Information and Communications Technology, the University of the Philippines, Diliman, Quezon City, NPC executive director Jose Tolentino Jr. disclosed a computer at the office of the election officer in Wao, Lanao del Sur was stolen on Jan. 11.
He said the stolen computer contained data from the voter registration systems, voter search application and national list of registered voters “containing the personal information of roughly 55 million voters.”
“Why did it take Comelec two weeks before reporting the breach?” he asked.
“Why did Comelec treat the case as simple robbery only?”
In its compliance order, the NPC directed Comelec to erase all copies of the NLRV in its computers in different municipalities and cities should it fail to secure the database using appropriate organizational physical and technical measures.
Tolentino asked Comelec to notify all data subjects affected by the personal data breach within two weeks and data subjects with records at the VRS in Wao.
Notification can be done through publication in two newspapers of general circulation, the NPC said.
In April 2016, 1.3 million passport data and 15.8 million fingerprints were stolen by hackers from Comelec’s computer system.
The leak was considered the biggest government-related data breach in history.
According to Privacy Commissioner Raymund Liboro, the NLRV contained approximately 75,898,336 records as of Oct. 17, 2016.
Of these, 55,195,674 are active voters, while 20,703,662 others are deactivated voters, he said.
The VRS contained 58,364 registration records for Lanao del Sur’s Wao, he added.
Liboro challenged Comelec’s statement the data in the database had been encrypted.
The poll body even admitted if a robber would be able to gain access to the VRS and decrypt the VRS and NLRV data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended, he noted.
Liboro’s statement said: “This is already Comelec’s second large-scale data breach in a span of less than a year, a case of a database being breached twice under different circumstances. This time, it involves actual large-scale biometrics data of voters in a municipality.
“The commission is very concerned, especially since there is ongoing voter registration nationwide. We will delve into the problem to possibly recommend other measures for Comelec to implement to protect voter data nationwide.”
“The no. 1 cause of breach is due to employee’s negligence,” he told reporters.
But he said the NPC did not “want to go further to file a case behind the breach.”