The Philippines' 55 million voters are now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Commission on Elections (Comelec), security firm Trend Micro has warned.
The defacement of the Comelec website by a hacker group called Anonymous Philippines happened at near midnight on March 27. In a message to the government, the group said they want the poll body to implement tighter security measures on the precinct count optical scan (PCOS) machines to be used in the May 9 polls.
"But what happens when the electoral process is mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?" the hackers posted in the defaced Comelec website.
A report from online news site Rapplersaid a second hacker group called LulzSec Pilipinas posted within day an online link to the Comelec’s whole database. The following day, the group also reportedly updated the post to add three mirror links to an index of files that could be downloaded.
Trend Micro said the leak may turn out as the biggest government-related data breach in history, surpassing the Office of Personnel Management (OPM) hack in 2015 that leaked personally identifiable information (PII), including fingerprints and social security numbers (SSN) of 20 million US citizens.
While the Comelec has given assurances to the public the day after the hacks that the no sensitive information was compromised and the country's second automated polls will be secure, the securty firm believes otherwise.
"Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone," the security firm said in a blog post.
"Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections,'" it added.
"Among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure."
Regardless whether the hacking could affect the elections, the security firm said there is still the issue of all voter information that was leaked.