How bad is the COMELEC data breach?

Back in March 27, 2016 hackers under the banner, Anonymous Philippines hacked into the website of the Commission on Elections defaced it to demonstrate how weak the poll body’s online security measures are. A few days later, another group of hackers LulzSec Pilipinas made available online the entire database of COMELEC – 338GB in size containing information of more than 55 million voters.

COMELEC Chair Andres Bautista said that no confidential information was leaked. COMELEC has downplayed the scale of the data breach to allay fears that it could compromise the results of the 2016 elections. While a valid concern and the election results were untainted, it brushed aside the other equally great risk for the millions of registered voters whose personal identifiable information has been compromised.

The newly established National Privacy Commission has just finished its investigation of the data breach and had made public the types of personal data that has been made available to anyone online including criminals:

“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”

“The voter database in the Precinct Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’ name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system.” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.

Here’s a rundown of the personal identifiable information that has been leaked:

  • voter’s verified name
  • date of birth
  • gender
  • civil status
  • post of registration
  • precinct number
  • birthplace
  • disability
  • voter identification number
  • voter registration record number
  • reason for deletion/deactivation
  • registration date and update time
  • passport information with number and expiry date
  • taxpayer identification number
  • e-mail address
  • mailing address
  • spouse’ name
  • complete names of the voter’s mother and father
  • voter’s addresses in the Philippines and abroad
  • post or country of registration
  • old registration information
  • Philippine representative’s complete name
  • citizenship
  • registration assistor
  • profession
  • sector
  • height and weight
  • identifying marks
  • biometrics description
  • voting history
  • mode of voting
  • other textual reference information for the voter registration system

To criminals who is into identity theft, use of forged documents and IDs, impersonation, blackmail and harassment, the COMELEC data leak is a gold mine.
If you’re a registered voter, you are vulnerable to hacking of your social media and other online accounts, identity theft which would compromise your bank accounts, utilities, academic or professional records, etc it could even be used to manipulate the next elections.

The NPC is just right in recommending the filing of criminal charges against COMELEC Chair Andres Bautista as he is liable for this catastrophic violation of Republic Act No 10173 or the Data Privacy Act of 2012.

I don’t know how else to say it, but this has really got me scared.

How to check if your Gmail is hacked

If you are worried about the recent leak of around 5 million Gmail user names and passwords on the internet and would like to check if yours was included, check out the following website:

https://isleaked.com

Just enter your Gmail address and it will tell you if it’s part of the database of hacked accounts. Don’t worry, the website is legit. I used it and was relieved to find out that none of my Gmail accounts were hacked.

If yours was, change your password now and even activate Google’s two-factor verification to make your account more secure.

Google has responded that the leak was not due to a successful attack that compromised their servers or network. Rather the database was a collection of Gmail accounts that were obtained through phishing, malware, or other means. So again, be careful with what email you open, link that you click and website that you provide your email address and other personal information to. Lastly, make it a habit to change your passwords every now and then and avoid using the same password across your online accounts. If you’re Facbook account gets hacked, all your other accounts will be hacked too.

Gmail logo is owned by Google, Inc.

Amazon Cloud Drive – No file sharing, no privacy

At first, I got excited by the new Amazon Cloud Drive service. Who wouldn’t? You get 5GB of free space, plus the ability to upload a single file that could be as big as 2GB for FREE is a great deal. Knowing that the service is built on top of Amazon S3 and its other cloud computing infrastructure, you’d know for certain that Cloud Drive would be robust and reliable.

Amazon Cloud Drive
Streaming music is cool, but not being able to share files? Uncool.

However, there are two crucial features that stopped me from completely switching over to Amazon Cloud Drive: the lack of file sharing ability and the loss of your rights to privacy.

Being able to stream Amazon MP3 purchases to any PC or an Android phone is nice. Amazon even beat Apple and Google to the punch with offering a cloud-based music streaming service with Cloud Drive. But for the rest of who are not US residents Cloud Drive is doesn’t offer anything new, it doesn’t even offer one basic feature common to other cloud-based file locker services: the ability to share files.

This is probably tied up with the way Amazon has setup Cloud Drive in order to combat piracy; users give up their rights to privacy over the files, the MP3s specifically, they store in the service. It’s all spelled out in the Amazon Cloud Drive Terms of Service:

5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your account information and Your Files: to provide you with technical support and address technical issues; to investigate compliance with the terms of this Agreement, enforce the terms of this Agreement and protect the Service and its users from fraud or security threats; or as we determine is necessary to provide the Service or comply with applicable law

That essentially allows Amazon or a third-party to take a look at your files, again especially your MP3s, to see if it is pirated or not. Don’t be naive that Amazon will ‘do no evil’ and protect you, under the above quoted clause of the Tos, a simple subpoena from, say the RIAA, will be enough for them to hand over your files.

And just like that my enthusiasm for Amazon Cloud Drive has gone south. You can’t share files to your friends, colleagues etc and you have ‘Big brother’ inspecting them. I guess it’s still a wiser move to keep your music and files and just regularly backup to portable storage devices.