The exfiltration of several databases of the Commission on Election (Comelec) via its website two years ago remains as the biggest data breach in Philippine history. The incident involved at least 340 GB worth of stolen data, pertaining to around 77 million Filipinos. To many, that event is still famously referred to as “Comeleak.”
The breach was a significant wake-up call. It highlighted the importance of data privacy and the need to take seriously the provisions of the country’s first comprehensive data protection law: Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA). Sure, it did not have to be at the expense of millions of Filipinos whose personal data were compromised. But come to think of it, how receptive would the country be, right now, to data privacy had it not been for the fallout left by that massive breach?
Today, Filipinos are interested in data privacy. Companies and government agencies are also more wary of the vulnerabilities of their data processing systems out of fear of falling victim to the next major leak.
Here are a few other takeaways from Comeleak:
- Despite efforts by government institutions, like the Bangko Sentral ng Pilipinas, to mitigate the risks the breach gave rise to, the public still needs to keep a watchful eye on any attempt to misuse their personal data. This should also be the case for government agencies and companies in the private sector who will be the obvious target of impostors and fraudsters using the compromised data.
- An increase in impersonation and/or identity theft incidents is among the likely consequences of the data breach.
- Whatever negative effect the breach had originally, it increased exponentially after copies of the compromised databases were leaked online. While attempts were made to remove such databases and links thereto from cloud storage services and torrent sites, respectively, it is impossible to know at this point if copies were successfully downloaded prior to the takedowns, and how many.
- Some of the personal data compromised can be used to figure out access to various online accounts via password recovery mechanisms and similar measures. Among those at risk are: (1) social media and email accounts; (2) subscriptions, plans, and online shopping accounts with linked credit card details; (3) online banking accounts; and (4) credit card and bank account numbers for “replacement.”
For privacy and information security advocates, the momentum generated by Comeleak in terms of fostering public awareness regarding data privacy and the many uses of emerging technologies should not be wasted. People should be more circumspect when giving out their personal data, while government agencies and private sector companies should also be more careful in securing the information they collect and process.
There are signs that the ripple effect of that event is already beginning to die down. This should not be allowed to continue. If a data breach as big as Comeleak will not be enough to encourage better data protection among Filipinos, one can only wonder if something ever will.
Organizations in both the public and private sector should do their part, too. They should espouse accountability over the personal data under their custody and the data processing systems they own and manage. They should do everything within their means to secure those data and those systems. Should that fail, they ought to address any breach or security incident with care and dispatch, while seeing to the welfare of the affected individuals. Only a consistent multi-stakeholder approach will ensure a more secure world for personal data.
For more information about the breach, the Foundation for Media Alternatives (FMA) released a paper providing a brief narration of how it unfolded, as well as its implications on the field of data protection here in the country.