Security researchers are warning that up to 55 million voters in the Philippines are at risk after an entire electoral database from the Philippines' Commission on Elections (Comelec) has been leaked online. The website was initially compromised and defaced on 27 March by hackers aligned with the Anonymous collective before a second group called 'LulzSec Pilipinas' then posted the database online three days later.
Now, a subsequent investigation by security firm Trend Micro has found that a slew of sensitive personal information on Filipino citizens has been exposed online – including passport information and fingerprint data that was reportedly stored without strong encryption.
"The data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates," said Trend Micro. "What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of people running for office since the 2010 elections."
Following the data breach, Comelec officials attempted to downplay the importance of the massive leak of election data. "I want to emphasise that the database in our website is accessible to the public," said spokesperson James Jimene. "There is no sensitive information there. We will be using a different website for the election, especially for results reporting and that one we are protecting very well."
However, Trend Micro's own research has exposed claims that no sensitive information was held in the leaked data dump. "Our research showed that massive records of PII, including fingerprints data were leaked," the security firm explained. "Included in the data Comelec deemed public was a list of officials that have admin accounts."
Every citizen is now at risk
The election website compromise comes just weeks before citizens go to the polls in the Philippines – currently slated for 9 May. After the first website attack, Anonymous warned the election body that it should strengthen security of its vote-counting systems – something the officials do not appear to be acting on.
Trend Micro has also issued a warning that every citizen registered to vote is potentially at risk. "Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion," the firm explained. "In previous cases of data breaches, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails, blackmail, extortion, and much more. With 55 million registered voters in the Philippines, this leak may turn out as the biggest government-related data breach in history."
Most recently, the Turkish election system was also caught up in a data breach crisis after hackers claimed to have leaked data on approximately 50 million citizens. The unnamed hacktivist uploaded a trove of details in a 6.6GB file that claims to hold the first and last names, national identifier numbers, mother and father's first names, gender, city of birth, date of birth, full address, ID registration cities and districts of 49,611,709 Turkish citizens.