The Philippines may have suffered its worst-ever government data breach barely a month before its elections.
By Leisha Chi
Personal information, including fingerprint data and passport information, belonging to around 70 million people is said to have been compromised by hackers.
The Philippine Commission on the Elections (Comelec) saw its website defaced at the end of March.
The Anonymous Philippines group has claimed responsibility for the attack.
The group said it sought to highlight “vulnerabilities” in the system, including the use of automated voting machines that will be used on 9 May.
A second hacker group called LulzSec Philippines is believed to have posted Comelec’s entire database online several days later.
Comelec claims that no sensitive information was released, according to multiple reports.
However, cybersecurity firm Trend Micro believes the incident is the biggest government-related data breach in history and that authorities are downplaying the problem.
“Every registered voter in the Philippines is now susceptible to fraud and other risks,” it said in a report.
Why the Philippines?
The Philippines general election takes place every six years and will see a new president, vice-president and more than 18,000 other officials voted into office.
Investors will closely be watching the polls given the Philippines is one of Asia’s fastest-growing economies.
This is only the third time the South East Asian nation has held automated elections and Comelec has faced criticism that security is not tight enough.
Ryan Flores, a senior manager at Trend Micro, said the government’s cybersecurity vulnerabilities could lead to the election being “sabotaged”.
“One of the more sensitive issues is that the [leaked] database is the same for the automated system being used for the election,” he told the BBC.
“Come election period, anyone who has ill intentions can modify the results.”
That was one of the reasons Anonymous Philippines cited for hacking the Comelec website.
It posted a message saying “what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?”
How big is this leak?
Trend Micro believes the Philippines breach may surpass the 2015 hack of the US Office of Personnel Management.
That incident saw the data on 20 million US citizens, including fingerprints and social security numbers, stolen by unknown hackers. Data taken in that attack has, so far, not been found online.
Last week, Panama law firm Mossack Fonseca saw more than 11 million documents released in what is being described as the biggest data leak in history.
Other high-profile targets in recent years where data has been stolen include online dating site Ashley Madison, US retailer Target and the entertainment arm of Sony.
The healthcare and education industries are the most affected by data breaches, according to Trend Micro.
Government agencies are the third biggest sector, followed by retail and financial industries.
What can be done to prevent similar attacks?
Mr Flores believes such breaches are likely to happen again, particularly in developing countries, and that “a stronger security mindset” was needed.
This includes the hiring of an information security team who would be responsible for highly sensitive data, as well as installing software that can track any irregularities in the network.
Mr Flores said countries like the Philippines “don’t really have any agency or mandate in the government to improve their security posture”.
“They have more pressing needs rather than digital security,” he said. “Being a third world country plays into that.”
However, he stressed that the investment was needed given there was an increasing trend of young people with technology know-how gravitating towards hacking groups.