The sensitive data of 55 million registered Filipino voters, including 1.3 million passport numbers of Filipinos overseas and 15.8 million records of fingerprints, were compromised following the hacking of the Commission of Election's (Comelec) website, said a tech security firm.
Taiwanese firm TrendMicro, founded in 1988, published on April 6 that every registered voter in the Philippines is now vulnerable to fraud and other risks based on its investigation.
Last March 27, hacktivist group Anonymous Philippines hacked the poll body's website, asking Comelec to make sure the PCOS have security features in place.
Hours later, another group named Lulzsec Pilipinas, posted Comelec’s entire database and leaked it on Facebook, with three mirror links to download the database, CNN Philippines said.
But Comelec spokesperson James Jimenez downplayed the effect of the hack, saying no sensitive information was compromised during the hacking and the website to be used for the election results reporting will be a different one from its website.
TrendMicro countered Comelec's statement saying that its investigations showed a huge number of sensitive personal identifiable information (PII), including passport information and its expiry dates, were included in the data dump.
"Our research showed that massive records of PII, including fingerprints data, were leaked. Included in the data COMELEC deemed public was a list of COMELEC officials that have admin accounts."
The tech security firm expressed its concern on the data breach, saying that the information can be used to extort the affected citizens.
"Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more," said TrendMicro.
Comelec's Jimenez said on Twitter that the poll body has yet to check the firm's sources and what it claims to have studied.
For the May 9, 2016 polls, around 55 million Filipinos were registered as voters, while active Filipino voters abroad reached 1.4 million — the total is the largest number of registered voters the country has seen so far.
The defacement of the Comelec website by a hacker group called Anonymous Philippines happened at near midnight on March 27. In a message to the government, the group said they want the poll body to implement tighter security measures on the precinct count optical scan (PCOS) machines to be used in the May 9 polls.
"But what happens when the electoral process is mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?" the hackers posted in the defaced Comelec website.
A report from online news site Rappler said a second hacker group called LulzSec Pilipinas posted within day an online link to the Comelec’s whole database. The following day, the group also reportedly updated the post to add three mirror links to an index of files that could be downloaded.
Trend Micro said the leak may turn out as the biggest government-related data breach in history, surpassing the Office of Personnel Management (OPM) hack in 2015 that leaked personally identifiable information (PII), including fingerprints and social security numbers (SSN) of 20 million US citizens.
While the Comelec has given assurances to the public the day after the hacks that the no sensitive information was compromised and the country's second automated polls will be secure, the securty firm believes otherwise.