The Philippines’ data privacy watchdog and top law enforcement agency are investigating allegations that electoral systems being used for the country’s upcoming general election were hacked.
The Manila Bulletin, the Philippines’ largest English-language newspaper, published claims from an anonymous source that the servers of the Philippines Commission on Elections (COMELEC) were breached on January 8, and that attackers downloaded more than 60 GB of data.
The data included usernames and PINs of vote-counting machines, as well as “network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with login and password”, reported the Manila Bulletin.
The data was also alleged to include a “list of overseas absentee voters, [the] location of all voting precincts with details of board of canvassers, all configuration list of the database, and list of all user accounts of COMELEC personnel”.
‘No independent verification’
COMELEC said in a statement dated January 10 that it was “presently validating the allegations”, but added that “usernames and PINS of vote-counting machines” did “not exist in COMELEC systems simply because the configuration files – which includes usernames and PINs – have not yet been completed. This calls into question the veracity of the hacking claim”.
COMELEC also said the Manilla Bulletin failed to offer proof of its claims that it had “verified that there was an ongoing hack”.
In a tweet posted on January 10, COMELEC commissioner Rowena Guanzon described the allegations as “fake news”.
The Manila Bulletin said it immediately informed COMELEC of the allegations after being tipped off about the hack on January 8. The National Privacy Commission (NPC), the country’s data protection regulator, said it was alerted to the claims on the same day. The newspaper broke the story on January 10.
Art Samaniego Jr, business tech editor at the Manila Bulletin, tweeted on January 11: “We waited for three days, we did not get any reaction. Less than three hours after we published, COMELEC gave a statement…”
Ongoing investigations
The NPC has summoned COMELEC and Samaniego to a “clarificatory meeting via teleconference on January 25” to address the allegations, according to a statement dated January 12.
“Rest assured that the NPC does not tolerate any act in violation of the Data Privacy Act including negligence in implementing organizational, physical, and technical security measures on personal data processing systems, whether in government or private institutions,” it added.
COMELEC said: “The COMELEC assures the public of its full and scrupulous compliance with the Data Privacy Act, as well as its continuing cooperation with the National Privacy Commission.
The elections body invited the publication “to shed light on their allegations”, adding that “the COMELEC stands ready to pursue all available remedies against those who, either deliberately or otherwise, undermine the integrity of the electoral process.”
COMELEC has reportedly handed documents over to the National Bureau of Investigation (NBI), the Philippines’ equivalent to the FBI, as part of its probe.
The elections body has been ordered to submit the findings of its investigation to the NPC by today (January 21).
The Philippine general election is scheduled for early May, with candidates to replace incumbent president Rodriguo Duterte – who is stepping down as the constitution mandates single term limits – including former boxer and current senator Manny Pacquiao; Bongbong Marcos, the son of former authoritarian president Ferdinand Marcos; and daughter of the incumbent, Sara Duterte.
COMELEC was hit by the biggest data breach in Filipino history in 2016 when the data of up to 55 million registered voters was compromised. A COMELEC spokesman initially said “there is no sensitive information there”.
The Daily Swig has contacted the NPC, COMELEC, the Philippines Cybercrime Investigation and Coordinating Center, and Art Samaniego Jr of the Manila Bulletin but we have yet to receive any replies. We will update this article if and when we hear back.
Source: https://portswigger.net/daily-swig/was-comelec-hacked-philippines-commission-on-elections-casts-doubt-on-data-breach-claims