As bad as the Mexican voter database leak may seem, the hack and data dump affecting over 55 million Filipino voters is much worse, in my opinion. Not only was more sensitive information involved – including passport information and fingerprints – but the data were freely available to an untold number of parties who may have downloaded it.
Now some lawyers are suggesting that not only should the hackers be prosecuted criminally (one suspect has already been arrested and has reportedly confessed), but the heads of COMELEC should be held accountable by impeachment.
Michael Bueza reports that lawyer Toby Purisima said that under Section 2, Article XI of the Constitution, betrayal of public trust is one of the grounds for impeachment of the chairman and commissioners of constitutional commissions like the Comelec.
Purisima said that this hacking and the ensuing data leak falls under the catch-all definition of “betrayal of public trust.”
According to Purisma and fellow lawyer Regie Tongol, COMELEC, as the controller of personal information, may also be made accountable for the data leak under the following laws:
- Republic Act (RA) 10173 or the Data Privacy Act, for failing to protect data from unlawful access
- RA 6713 or the Code of Conduct and Ethical Standards for Public Officials, for negligence in protecting voters’ data
- Section 3(e) of RA 3019 or the Anti-Graft and Corrupt Practices Act for “causing any undue injury” to voters
There is also an accessory penalty under the Data Privacy Act of disqualification from running for public office that would be imposed on concerned Comelec officials, if found guilty.
Under the same law, the Comelec can also be charged for downplaying the incident and the concealment of the security breach or by not informing the voters immediately of the release of their personal information
Read more on Rappler.
Well, lawyers say a lot of things, but will heads really roll over this breach? We’ve seen the head of OPM here resign after the massive hack of that agency. But impeachment of the heads of federal agencies? Can anyone recall ever seeing that anywhere over a breach? Maybe I need more coffee to remember something that’s not coming to mind right now.
But if the recent massive leaks of government databases should teach us anything other than the need for better infosecurity, they should teach us that government agencies should also have breach notification duties similar to those for businesses.
As an interesting side note, it was the U.S. who helped get the searchable database, wehaveyourdata.com, down. Camille Diola reports on PhilStar:
Citing the Philippines’s Department of Justice, which oversees the National Bureau of Investigation (NBI) in charge of the hacking probe, Jimenez said the data was preserved by the US DOJ via web security provider CloudFlare and repurchased from domain registrar GoDaddy.
“DOJ [is] currently in the process of requesting for the preserved data on Cloudflare and GoDaddy, through official channels, [and] coordinating with NBI,” Jimenez said in a statement on Twitter.
On Friday afternoon, a review by Philstar.com of the WhoIs domain name registration of the website shows that the site wehaveyourdata.com was successfully reregistered on GoDaddy at 1:56 p.m., Manila time.
Experts say, however, that even with the site taken down, crooks may have already backed up the data and planning on their next moves.
“Taking down the website doesn’t matter. The people who can do damage with the information already [have] the data,” Carlo Ople, managing director of Dentsu Digit, said on Twitter.
The data, meanwhile, are still available on torrent listings for downloading.
I do not understand why so many hackers feel the need to break into databases like these? Is it for the thrill and sensation of a difficult database hack, just to find identities to steal? I do not understand how people can be so plain cruel.
It’s the incompetence of the government employees.