Hackers’ haven

A hacking scandal bigger than the embarrassing $81 million cyberheist of the Bank of Bangladesh cooked up in the country has emerged and it involves 55 million Filipinos.

Computer experts believe the Commission on Elections (Comelec) is hiding the truth on the March 27 hacking of the Comelec system, which the poll body's officials are trying to pass off as a mere incident of Web site vandalism.

The Easter Sunday attack on the Comelec was claimed by two groups called Anonymous Philippines and LulsZec Pilipinas which did a simultaneous intrusion into the Comelec Web site with Anonymous defacing the Comelec page while the other group extracted data which it claimed to be sensitive poll information that Comelec keeps.

What is being talked about now in the cyber community is worrying because of the suspicions of a hoard of Comelec data hacked including sensitive information 55 million voters have provided the poll body including fingerprints.

The stolen data supposedly included 1.3 million passport numbers of Filipinos working or living overseas and 15.8 million records of fingerprints.

Taiwanese firm TrendMicro attested to the hack and warned that a registered voter in the Philippines is now vulnerable to fraud and other risks based on its investigation.

The Comelec has downplayed the incident saying that the poll body will anyway use a different site for the election proper and that no sensitive information was compromised.

TrendMicro's investigation on the attack, however, showed a huge number of sensitive personal identifiable information were included in the stolen data. It expressed its concern on the data breach, saying that the information can be used not only for poll fraud but also to extort from those listed in the Comelec database.

Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data had been used to access bank accounts, gather further information about specific persons, used as leverage for spear pushing emails or business e-mail compromise schemes, blackmail or extortion and much more, according to TrendMicro.

An American information technlogy (IT) expert Troy Hunt said the breach was so huge as he termed the Easter Sunday attack on the Comelec Web site as a nation having been hacked.

"Whilst there's been limited press coverage on the issue, a public statement from the Filipino government has suggested nothing sensitive was disclosed. As I discovered when I reached out to some of the people involved, this is blatantly wrong," Hunt said.

The hackers also apparently, as a bragging right, posted the downloaded Comelec data online that now exposes those who have provided their personal information to the poll body to every cyber predators.

Another IT specialist Andrew Liptak described the Comelec hack as a hack that can be considered the largest data breach ever.

"The scale of the attack is even larger than that of the Office of Personnel Management breach in 2015, and leaked sensitive information such as fingerprints and passport information," he said.

The hackers succeeded in likely their first try to intrude into the Comelec system that left poll body's officials now in a denial mode in an effort to paint normalcy into what may turn out as a compromised election process.

The Comelec said that safeguards have already been installed in the elections system but the vital information on the voters are already in the hands of the hackers which may turn out to be a very lucrative data hoard to those who can use it for the manipulation of votes.

With voters' names, fingerprints and other personal information included in the stolen data and made available online, the hackers of the world may even compete against each other in goofing up next month's polls.

The Comelec should be forthright and tell voters what is the real score in the breach of its system and if the coming political exercise has been already compromised.

Telling the people that the May election is not affected despite the breach only contributes to the belief that the automated polls are to be rigged.

Also, the Comelec should be sued by 55 million voters for failing to safeguard their vital information.

Source: Tribune