Malacañang on Friday urged the Commission on Elections (Comelec) to accept accountability for the hack on its database last year that exposed millions of voters to identity theft and fraud.
Presidential Communications Secretary Martin Andanar also called on the Comelec to release its investigation report on the hack, a day after the National Privacy Commission declared the election watchdog’s chair, Andres Bautista, liable for “gross negligence” that left the election body’s database highly vulnerable to cyberattack.
The finding opened Bautista to criminal prosecution over the security breach that became known as “Comeleak.”
Voter database hacked
In that attack, hackers extracted contents from the Comelec’s website, including information from the voter database, from March 20 to 27, 2016.
The hackers then uploaded the voter information—names, addresses, dates of birth, passport details—to file-sharing platforms.
The Comelec became aware of the security breach when the files went viral online.
Compromised were the files of 77 million voters, in what has been described as one of the worst breaches of a government database.
The privacy commission, however, said the leak did not affect the integrity of the May 9, 2016, elections.
Andanar said the security breach exposed those voters “to risks such as identity theft and fraud,” a matter that “simply cannot be swept under the rug.”
“[The] Comelec must not only protect the vote, it must protect the voters as well,” Andanar said in a statement.
He urged the Comelec to accept responsibility for the breach and release the report on its investigation of the cyberattack to maintain the election body’s credibility, and uphold the integrity of the electoral process.
Efforts must be made to thwart attempts to interfere with the electoral process, he said.
“Let us put an end to election-related maneuverings and ensure that any attempt to subvert the people’s will, no matter how sophisticated, will not succeed,” he added.
Formed last year, the privacy commission investigated the hack on the Comelec and found that the election watchdog did not have basic data principles.
It said the Comelec had no policy covering data privacy and did not even have a data protection officer.
The void left the Comelec highly vulnerable to cyberattack, which the privacy commission blamed on Bautista.
It concluded that under the Data Privacy Act, Bautista committed gross negligence and recommended him for prosecution.
On Friday, Bautista said he was open to a “congressional investigation in aid of legislation.”
He also defended himself against the findings of the privacy commission.
“We believe that we did what we had to do given the circumstances. We feel the [privacy commission] overstepped its boundaries,” he said.
The election watchdog Kontra Daya welcomed the privacy commission’s finding against Bautista, saying it could serve as basis for the Comelec chief’s impeachment.
“[T]his could be a ground for Bautista’s impeachment, especially considering that the leak was initially reported by TrendMicro on April 6 and the Comelec at that time failed to disclose the extent of the breach,” the group said in a statement.