HOURS after the arrest of a suspect accused of defacing the official Commission on Elections website, hackers calling themselves LulzSec Pilipinas uploaded the personal information of some 56.7-million registered voters on their site.
The site, named “Philippines, we have your data,” was uploaded hours after Comelec Chairman Andres Bautista announced the arrest of one of the three hackers, who is in government custody.
The site contains a search engine that enables visitors to look up registered voters to find information such as their home addresses and birthdates.
The data that has been accumulated from the Comelec website is said to include birthdates, fingerprint data, names of relatives, home addresses, citizenship information, passport information, and other miscellaneous data.
“We thought that it would be fun to make a search engine over that data,” the hackers said on the website.
Comelec spokesman James Jimenez urged the public not to visit the hacker website as this would put them at risk.
“The National Bureau of Investigation CyberCrimes Division is now looking into the website, and investigating the matter,” Jimenez said. “We advise the public not to use the hacker website as it can be used by the hackers to steal your information and thus expose you even further to the dangers of identity theft.”
He said the NBI has yet to furnish them a copy of its investigation.
Jimenez also apologized for the “continuing attack” on the privacy of all registered voters.
“We assure the public that the Comelec is doing everything we can to resolve this matter at the soonest possible time,” he said.
A former Comelec commissioner and IT expert Gus Lagman criticized the poll body for putting sensitive personal information on its public website.
“The Comelec was wrong. Why put that on a website? Now the people have lost their privacy,” Lagman said, adding that the information could be used for identity theft.
But Lagman ruled out the possibility that the compromised data could be used to manipulate the results of the May elections.
“The election is not an issue here. The biometrics that they alleged have are just photocopies. You need the original biometrics to rig the election result,” Lagman said.
He said he saw no way for the hackers to manipulate next month’s elections.
A cybersecurity expert who spoke on condition of anonymity said the government could take down the website created by Lulzsec Pilipinas, but the Justice Department would have to obtain a court order to do so.
“The government has the means to take the website down. It will be difficult but it can be done,” the source added.
Earlier, Bautista announced that the hacker arrested by the NBI was a 20-year-old IT graduate from a “prestigious university.”
In a press conference, NBI Cybercrime Division chief Ronald Aguto said it took them about three weeks to find him and said they were still tracking down two other hackers.
“He just wanted to demonstrate the vulnerability of the website,” Aguto said of the hacker’s motive.
Aguto identified the suspected hacker Paul Biteng, a resident of Sampaloc, Manila.
Biteng was charged with violating Section 4a of the Cybercrime Prevention Act, which deals with confidentiality, integrity and availability of computer data and systems.
Biteng admitted to defacing the Comelec website but denied that he was the one who uploaded the data online.
Aguto said at least two more hackers were involved in the data dump.
The NBI official said they will go after the two other hackers as well as any other individual who has physical possession of the data illegally uploaded online.
Aguto said that his agency is still identifying the specific affiliation of the hacker and that the investigation is ongoing.
During the arrest, the police were able to confiscate the computer used in hacking and defacing the Comelec website.
“There is an ongoing forensic investigation,” he said, adding that they could not say yet if the data accumulated were legitimate.
He also could not say whether the data they discovered came from the Comelec.
Bautista said the arrested hacker was cooperative.
“He told us he wanted to make sure that the security features of our vote counting machines were working,” he said in Filipino.
“I told him that he didn’t need to [hack the website]. If he just wrote us and addressed the letter to us we would have immediately addressed his concerns,” Bautista added.
In March, Anonymous Philippines defaced the official website of the Comelec, and posted a message demanding that the security features of the vote counting machines are turned on during Election Day.
“What happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld? We request the implementation of the security features on the PCOS (Precinct Count Optical Scan) machines,” the hacker named “Anynymous” wrote.
The message was accompanied by a threat to the commission that the group will be vigilant on how the Comelec will be running the forthcoming elections.
“Commission on Elections, we are watching! We are Anonymous. We are legion. We do not forgive. We do not forget. Expect us!” the hacker said.
Another group called “LulzSec” accessed the data of the poll body’s website and posted it online.
“A great lol to Commission on Elections, here’s your whoooooole database,” LulzSec Pilipinas wrote in a Facebook post.
The hackers also posted three mirror links to an index of files that could be downloaded.
The files represent “the whole database leak of the Commission on Elections,” the hackers said.
“Some of the tables are encrypted by Comelec [it has] the algo[rithms] to decrypt the data,” they added.
The files include comweb.sql.qz, a 312-gigabyte archive file.
COMMENT DISCLAIMER: Reader comments posted on this Web site are not in any way endorsed by The Standard. Comments are views by thestandard.ph readers who exercise their right to free expression and they do not necessarily represent or reflect the position or viewpoint of thestandard.ph. While reserving this publication’s right to delete comments that are deemed offensive, indecent or inconsistent with The Standard editorial standards, The Standard may not be held liable for any false information posted by readers in this comments section.