The Comeleak controversy has since been described as one of the worst breaches of a government-controlled database
The National Privacy Commission found Commission on Elections (Comelec) Chairman Andres Bautista liable and had committed “gross negligence” over the March 2016 hacking of the poll agency’s website, dubbed as the Comeleak.
This was uncovered following an investigation of a “data breach” from March 20 to 27 in 2016. The leak in the Comelec, or what is now called as Comeleak, exposed about 77 million voter registration records, and has since been described as one of the worst breaches of a government-controlled database.
The Comeleak characterized the leak of sensitive information, including the full names, addresses, passoport details and birthday of the voters, which were posted on online platforms and a website that has since been taken down.
The Comeleak controversy came a month after the Comelec was hailed globally as the Electoral Commission of the Year for the success of the May 9, 2016 elections.
Talking to the press on Thursday, the officials of the National Privacy Commission, led by Commissioner Raymond Liboro and Deputy Commissioner Dondi Mapa, said that the evidence that would press Bautista in the criminal prosecution had already been turned over to the Department of Justice (DOJ) , which was expected to get the case rolling.
But the officials immediately clarified that the Comeleak did not compromise, in any way, the May 9 elections.
Mapa qas quoted saying, “The Comelec, in fact, protected the vote. The question is, in its zeal to protect the vote, did it fail to protect the voter?”.
The investigation of the privacy commission discovered that the poll body failed in this regard and its decision dated December 28, 2016, provided details on how the Comelec and Chairman Bautista violated several provisions of the Republic Act 10173, otherwise known as the Data Privacy Act.
The findings revealed that the Comelec did not have even the basic data privacy principles, as it had no data privacy and also did not have a data protection officer.
The privacy commission said in its decision that the Comelec chairman lacked the appreciation that the data protection is more than just implementing security measures, but it must begin from the time the voters’ personal data are collected, to its subsequent use and processing up to its storage and destruction.
National Privacy Commission Commissioner Liboro also added that the Comelec lacked any policy “on how to hold, collect, classify and store information in a safer manner”, in accordance to the law.
The privacy commission ordered several corrective measures for the Comelec to mitigate the “damage” the Comeleak has caused.