The National Privacy Commission (NPC) has ordered the Commission on Elections (COMELEC) on Monday to take serious measures to address its data processing vulnerabilities after the computer of the Office of the Election Officer (OEO) in Wao, Lanao Del Sur was stolen last January 11, 2017.
The stolen computer contains data from the Voter Registration System (VRS) and Voter Search applications, and the National List of Registered Voters (NLRV). The stolen data also contains biometric records of registered voters in Wao, Lanao del Sur.
In its initial probe, the NPC discovered that all COMELEC field offices across the country maintain their own soft copies of the NLRV, which contains the personal information of roughly 55 million voters.
The NLRV database was also used in the Precinct Finder application, which was exposed in last year’s COMELEC website data breach.
“This is already COMELEC’s second large-scale data breach in a span of less than a year—a case of a database being breached twice under different circumstances. This time, it involves actual large-scale biometrics data of voters in a municipality. The Commission is very concerned especially since there’s on-going voter registration nationwide. We will delve deeper into the problem to possibly recommend other measures for Comelec to implement to protect voter data nationwide,” said Privacy Commissioner Raymund Enriquez Liboro.
“This breach illustrates that there are many ways to lose personal data. That is why data protection is not only an IT security issue involving firewalls. It’s a governance matter that covers organizational and physical measures to protect data. In this case, failure to secure the very computer containing personal data can be just as disastrous. If the COMELEC won’t address the problem systemically, this will happen again and again,” Liboro added.
In its Compliance Order dated February 13, 2017, the NPC directed the poll body to erase all copies of the NLRV in the COMELEC’s computers in the different municipalities and cities, if the COMELEC cannot secure the database using appropriate organizational, physical and technical measures.
The privacy watchdog is also tasking the poll body to notify all data subjects affected by the personal data breach within two weeks. Individuals with records in the NLRV may be notified by COMELEC through publication in two newspapers of general circulation. The COMELEC is also being directed to individually notify the data subjects with records in the VRS in Wao, Lanao Del Sur.
Within two weeks, the poll body is also tasked to submit to the NPC its “proposed and implemented revisions” in the voter registration process, considering the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other related NPC circulars.
The poll body is also being required to submit the status the measures it intends to implement in addressing this personal data breach, as outlined in its report to the NPC.
THE STOLEN COMPUTER
At around midnight of January 11, 2017, unidentified persons reportedly stole the desktop computer of the COMELEC’s OEO in Wao, Lanao Del Sur.
Seventeen days later, on January 28, 2017, COMELEC Executive Director Jose M. Tolentino notified the NPC of the data breach.
The data breach exposed information in the NLRV and the Voter Search application, and the detailed voter registration records of registered voters of Wao, Lanao del Sur.
The NLRV contains approximately 75,898,336 records as of October 17, 2016. Of these, 55,195,674 are active voters and 20,703,662 are deactivated voters.
The VRS contains a total of 58,364 registration records for Wao, Lanao del Sur. Of these, 40,991 records are for registered voters for the coming barangay elections (as of October 19, 2016), and 17,373 records are for the Sangguniang Kabataan (SK) elections (as of September 13, 2016).
The COMELEC identified 35,491 active records for the barangay elections, and 17,336 active records for the SK elections.
While the COMELEC claims the data in the database is encrypted, the COMELEC admitted that “[I]f the robber will be able to gain access to the VRS, and to decrypt the VRS and the NLRV data, the personal data might be used by unscrupulous persons for purposes other than those legitimately intended.”