Manila: On March March 27, 2016, hackers under the banner "Anonymous Philippines" hacked the Philippine Commission on Elections (Comelec) server, stole hundreds of gigabytes worth of voter data and defaced the agency's website.
The hackers taunted authorities, leaving a message that called for tighter security measures on the vote counting machines (VCM) prior to the 2016 Philippine general election on May 9, 2016.
On the same day, a separate group of hackers, known as LulzSec Pilipinas, posted a link to what it claims to be the entire voter database and updated the post to include three "mirror" links to the index of the database's downloadable files. The leaked files by the LulzSec group reportedly amounted to 340 gigabytes worth of data.
The attack was considered the biggest data leak in the Philippine history that left 55 million registered registered voters at risk. Security firm Trend Micro reported that the Comelec breach surpassed the US Office of Personnel Management data theft which affected 20 million people.
A month later, the first individual responsible for the data breach, Paul Biteng, then only 23 years old a.k.a. "PhantomHacker Khalifa", was arrested by National Bureau of Investigation (NBI) agents. His demeanor was devoid of remorse. In an unusual turn of events, he even made an unusual requested — a "selfie" with the NBI chief.
Recently, the PhilHealth hackers allegedly demanded $300,000 (about 17 million pesos) in “ransomware” payment from the government, which was not given. The stolen data, released on the ‘Dark Web’, reportedly affected 13 million PhilHealth members.
That same week, another report of a hacking incident involving the Philippine Statistics Authority (PSA) came out, though it was believed to be an “inside job”.
124 million accounts compromised
According to research by a cybersecurity firm Surfshark, a staggering 124 million accounts in the Philippines had fallen victim to data breaches from 2004 — making it the second most affected nation in Southeast Asia, surpassed only by Indonesia with 144 million breached accounts
Here are some key insights into the state of data breaches in the Philippines:
- Global and Regional Rankings: The Philippines ranks fifth in Asia and seventeenth globally based on the total number of breaches since 2004.
- Asian Average: Agneska Sablovskaja, Lead Researcher at Surfshark, emphasises that in Asia, an average of 52 accounts are breached per 100 people. However, in the Philippines, this number rises to 106 per 100 people, indicating that an average Filipino has been impacted by data breaches approximately once.
- Widespread Email Compromises: Out of the 124 million compromised internet accounts, a startling 50 million feature unique email addresses. This implies that, on average, an individual's email address in the Philippines has been breached nearly three times.
- Extensive Data Exposure: The Philippines has seen a total of 420 million data points exposed since 2004, according to Surf Shark. On average, each compromised email address is associated with an additional three data points.
- Password Vulnerability: Disturbingly, 70 million passwords were leaked alongside Filipino accounts. This leaves more than half of the affected users vulnerable to account takeover, opening the door to potential identity theft, extortion, and other cybercrimes.
- Global Perspective: Globally, since 2004, a staggering 17 billion accounts have suffered data breaches, with approximately one-third of them involving unique email addresses.
The findings, the firm said, underscore the urgent need for enhanced data security measures in the Philippines and across the globe as data breaches continue to pose a significant threat to individuals and organisations.
On October 12, Senator Sherwin Gatchalian sounded alarm over the government data breaches, and called for “urgent action”. The breaches also underscore the necessity of providing the DICT access to confidential funds to effectively combat cyberattacks, said Gatchalian, who added that the recent data breaches are “deeply alarming”.
Gatchalian has urged the Department of Information and Communications Technology (DICT) and the Nation al Privacy Commission (NPC) to promptly identify the culprits responsible for the breaches.
16,297number of cybercrime cases received by the Philippine National Police in Q1 2023 alone
Senator Ronald “Bato” Dela Rosa, for his part, had also called for the increase in the DICT's 2024 proposed budget, even suggesting that the agency be provided with intelligence funds.
“It's hard because it really requires funding and there are a lot of budget cuts. Let's see where government priorities should be. If cyber-hacking has less priority, then this will not be allotted funds. But if it is given importance, then the budget should focus on it. So, it is a matter of prioritisation of the government," dela Rosa told local media in Filipino.
Meanwhile, Deputy Senate Minority Leader Risa Hontiveros cited data from the Philippine National Police Anti-Cybercrime Group that in the first quarter of this year alone, it received 16,29 reports of cybercrime cases.
Senator Grace Poe said the hacking incidents should be stopped and the hackers should be held liable. "Data breaches also jeopardise personal information of the people, whose own accounts may be subjected to hacking or unwanted exposures," Poe said, noting that sensitive data could compromise national security. "The government must invest in strong cyber security infrastructures to safeguard public records," Poe added.