Hackers Expose Philippines Voter Database

A breach of the Philippines’ Commission on Elections (Comelec) affecting about 55 million people could be the largest hack of government-held data ever, according to security specialists.

Government representatives have downplayed the seriousness of the breach, which took place late last month, but IT security firm Trend Micro said its analysis of the exposed data found that it included sensitive information such as passport numbers and fingerprint records.

“Every registered voter in the Philippines is now susceptible to fraud and other risks,” Trend said in an advisory. “With 55 million registered voters in the Philippines, this leak may turn out as the biggest government related data breach in history.”

Comelec’s website was defaced on 27 March by the Philippines branch of the Anonymous hacker group, which left a message accusing the government of poor security ahead of upcoming elections on 9 May.

Later on the same day a different but linked group, LulzSec Pilipinas, posted an online link to what it claimed was Comelec’s entire database, a 338 GB file containing 75.3 million individual entries. Just over 54 million of those entries would seem to correspond to the Philippines’ 54.36 million registered voters, according to Trend.

The database includes 1.3 million records for overseas Filipino voters, listing their passport numbers and expiry dates, in an easily searchable plain-text format, Trend said.

“Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections,” the company stated.

Vote fraud fears

The Philipines uses an automated voting system, and the hacker groups both said their actions were intended to call the security around that system into question.

Comelec has said the voting system uses a separate system that’s better protected than the hacked site.

“We will be using a different website for the election, especially for results reporting and that one we are protecting very well,” a Comelec spokesman said at the time of the hack.

The breached Comelec database affects more people than a leaked database on more than 49 million Turkish voters exposed last week, but the Turkish database contains more sensitive information – detailed records, including parents’ names and addresses, on every person listed.

Last year a breach of the US government’s Office of Personnel Management (OPM) leaked information including fingerprints and social security numbers on 20 million current and former government employees.

Are you a security pro? Try our quiz!