Over a week ago, I was lazily browsing headlines on Hacker News, minding my own business, when suddenly my entire world view was irreversibly turned upside-down after I came across Web security expert Troy Hunt’s excellent blog post on the recent COMELEC data leak, the irresistibly but aptly titled entry “When a nation is hacked: Understanding the ginormous Philippines data breach”. It turns out, despite what the folks at COMELEC would have you believe, the hyperbole in this case isn’t only warranted, it’s the only way to capture the sheer scale of this mess into words we humans can grasp.
When I first read about the data breach as it was initially reported in late March, I simply shrugged it off as nothing more than election-related fodder for the politically-inclined (a region in the Venn diagram of the Philippine online community that I’m only tangentially aligned with). COMELEC’s early assessment of the situation painted the incident as garden-variety online vandalism, supposedly having no serious consequence except causing temporary inconvenience for visitors of its site. Very reassuring.
But days after the intrusion event and with a string of unexpected twists and turns in the unfolding story, it was becoming clear that this might be far more serious than what the polling agency cared to publicly admit. And now, nearly a full month has passed; all signs clearly show that this thing is massive and that potentially millions of verified voter for the upcoming elections are at risk of being royally screwed. If you think I’m exaggerating, then read the rest of this post. If not, just read on anyway.
It’s one of the largest leaks in history.
According to data compiled by Information is Beautiful, the COMELEC data leak ranks as one of the world’s biggest data breaches. With 55 million records stolen, it easily carves out a comfortable place among the 15 largest hacking incidents of all time, as this table shows:
Ranking | Name | Industry | Year((s) | Records (in millions) |
---|---|---|---|---|
1 | Massive American business hack | financial | 2012 | 160 |
420,000 websites | web | 2014 | 160 | |
2 | Ebay | web | 2014 | 145 |
3 | Heartland | financial | 2009 | 130 |
4 | TK / TJ Maxx | retail | 2007 | 94 |
5 | Anthem | web | 2016 | 80 |
6 | Sony PSN | gaming | 2011 | 77 |
7 | JP Morgan Chase | financial | 2015 | 76 |
8 | Target | retail | 2014 | 70 |
Securus Technologies | web | 2016 | 70 | |
9 | UbiSoft | gaming | 2013 | 58 |
10 | Home Depot | retail | 2015 | 56 |
11 | Philippines’ Commission on Elections | government | 2016 | 55 |
12 | Evernote | web | 2013 | 50 |
Living Social | web | 2013 | 50 |
To put that number into perspective, recall that the Philippine population is currently estimated to be around 101.5 million, which means that the COMELEC hack can potentially affect as much as 54.2% of Filipinos alive today. (Please note that the entries include in the above table are those which resulted from external cyber-intrusion and do not include inside job or accidental security compromise)
You might also notice that, among the entries in the previous table, the COMELEC hack conspicuously stands out as the only one carried out against a government institution. I was able to get a hold of the data file maintained by Information is Beautiful (click here) and found that, at time of writing, the COMELEC hack actually happens to be the biggest data breach concerning any government body in any country, as shown in the table below:
Ranking | Name | Year(s) | Method | Records (in millions) |
---|---|---|---|---|
1 | Philippines’ Commission on Elections | 2016 | hacked | 55.0 |
2 | Turkish citizenship database | 2016 | leak | 49.6 |
3 | US Dept of Vet Affairs | 2006 | lost / stolen computer | 26.5 |
4 | UK Revenue & Customs | 2007 | lost / stolen media | 25.0 |
5 | US Office of Personnel Management (2nd Breach) | 2016 | hacked | 14.0 |
6 | Greek government | 2012 | hacked | 9.0 |
7 | Virginia Dept. Of Health | 2009 | hacked | 8.3 |
8 | Office of the Texas Attorney General | 2012 | accidentally published | 6.5 |
9 | Chile Ministry Of Education | 2008 | accidentally published | 6.0 |
10 | Norwegian Tax Authorities | 2008 | accidentally published | 4.0 |
11 | State of Texas | 2011 | accidentally published | 3.5 |
12 | Driving Standards Agency | 2007 | lost / stolen media | 3.0 |
13 | UK Ministry of Defence | 2008 | lost / stolen media | 1.7 |
14 | Kissinger Cables | 2013 | inside job | 1.7 |
15 | Jefferson County | 2008 | accidentally published | 1.6 |
In his heroic attempts to downplay the sheer scale of the COMELEC data breach, Chairman Andres Bautista sounded a bit silly when he implied that since other government agencies’ websites have also been compromised before, then the COMELEC hack must be nothing out of the ordinary. The reality is quite different, as we’ve seen in the previous table and as we’ll see in more detail later.
The COMELEC data theft dwarfs many high-profile government data leaks including the biggest in U.S. government history, the 2014-2015 Office of Personnel Management (OPM) data breach with 21.5 million records compromised (the 14 million in the above table refers to the second OPM breach), believed to have been carried out by Chinese hackers. Clearly, the OPM hacking incident (which, by the way, resulted in the resignation of the Director concerned) woefully pales in comparison to the COMELEC leak. We’re #1!
But that’s just the quantity of voter records stolen. Wait until you find out the quality of personal information that’s now freely floating out there, available to anyone with a decent Internet connection and an indecent intention.