
55M voters' details leaked in Philippines - ptrincr
http://www.theregister.co.uk/2016/04/07/philippine_voter_data_breach/
======
ptrincr
There is more info here [http://blog.trendmicro.com/trendlabs-security-
intelligence/5...](http://blog.trendmicro.com/trendlabs-security-
intelligence/55m-registered-voters-risk-philippine-commission-elections-
hacked/)

------
shade23
Is it only me who thinks that all this is being orchestrated. Starting from
the panama leaks to Turkish leaks and now this. I don't want to pointlessly
plug a conspiracy theory here. But I would like to know if this argument can
be supported/refuted.

~~~
darkhorn
I have predicted it few years ago. You dump the database, zip it, and upload
it to your Google Cloud. It's that easy if you are insider. You only need half
hour and no one will notice. It is more likly to leak if there are more
databases, like citizen db, voters db, social secufity db etc. We will see
more leaks in the future.

~~~
mnem
It's only that easy if you work somewhere with zero network security. Given
how mismanaged government IT departments seem to be, that's not unlikely
though :)

------
veb
> "I want to emphasise that the database in our website is accessible to the
> public,"

Was it supposed to be? :-)

~~~
fweespee_ch
> “I want to emphasise that the database in our website is accessible to the
> public,” Comelec spokesperson James Jimene said, the Philippine Daily
> Inquirer reports. “There is no sensitive information there. We will be using
> a different website for the election, especially for results reporting and
> that one we are protecting very well,” he added.

Yes.

> Based on our investigation, the data dumps include 1.3 million records of
> overseas Filipino voters, which included passport numbers and expiry dates.
> What is alarming is that this crucial data is just in plain text and
> accessible for everyone. Interestingly, we also found a whopping 15.8
> million record of fingerprints and list of peoples running for office since
> the 2010 elections.

None of this information is particularly secret or sensitive.

1) Fingerprints are left everywhere anyway. You aren't going to be able to
hide these.

2) Passport information is recorded in 2930423904239049203 places already.
Much like your IP address, social security number, etc. it should be treated
like a username and not a password. [i.e. It is the publicly known portion of
your identity]

3) If you are treating PII as private, you are doing everything wrong. These
are all basically public record at this point and pretending otherwise is
silly. The whole reason they are "identifying" is because other people can
look at it and recognize you.

Other "sensitive information":

> Among the data leaked were files on all candidates running on the election
> with the filename VOTESOBTAINED. Based on the filename, it reflects the
> number of votes obtained by the candidate. Currently, all VOTESOBTAINED file
> are set to have NULL as figure. > Included in the data COMELEC deemed public
> was a list of COMELEC officials that have admin accounts. > list of peoples
> running for office since the 2010 elections.

[http://blog.trendmicro.com/trendlabs-security-
intelligence/5...](http://blog.trendmicro.com/trendlabs-security-
intelligence/55m-registered-voters-risk-philippine-commission-elections-
hacked/)

Yes, having a list of candidates that is already public knowledge is
sensitive. Similarly, the list of election officials that have that access is
also basically public knowledge.

This is being played up as some "great secret trove of knowledge" when the
reality is you've given this information to 2903420934239042390 different
people and its basically public record. Simply because information identifies
you doesn't make it private.

~~~
woodman
> 1) Fingerprints are left everywhere anyway. You aren't going to be able to
> hide these.

Most people don't leave their name/address/uid along side those prints.
Imagine this scenario: you are hanging out at your friend's house, for
whatever reason you find yourself handling his dildo, he sells it on ebay,
4chan buys it and lifts your prints, your mother gets a call...

~~~
fweespee_ch
[https://www.avvo.com/legal-answers/are-fingerprints-from-
a-c...](https://www.avvo.com/legal-answers/are-fingerprints-from-a-criminal-
proceeding-public-2269089.html)

> Yes. You may be eligible for a motion to seal or expunge and in that case
> they would be sealed or destroyed. Otherwise, they are public record.

[https://www.eff.org/deeplinks/2015/09/little-fanfare-fbi-
ram...](https://www.eff.org/deeplinks/2015/09/little-fanfare-fbi-ramps-
biometrics-programs-yet-again-part-1)

> Being a job seeker isn’t a crime. But the FBI has made a big change in how
> it deals with fingerprints that might make it seem that way. For the first
> time, fingerprints and biographical information sent to the FBI for a
> background check will be stored and searched right along with fingerprints
> taken for criminal purposes.

[http://www.secureidnews.com/news-item/countries-adopt-
biomet...](http://www.secureidnews.com/news-item/countries-adopt-biometrics-
for-voter-id-fraud-prevention/)

etc.

1) There are tons of ways you can end up in a public database with all of that
linked to your fingerprints.

2) Background checks require fingerprints, ever ask yourself how secure that
information is? [ Hint: Not so much, much like SSNs, you have to assume they
are public knowledge if you've ever had this happen. ]

3) Voting records in quite a few countries include this information and they
are basically public record.

> Most people don't leave their name/address/uid along side those prints.
> Imagine this scenario: you are hanging out at your friend's house, for
> whatever reason you find yourself handling his dildo, he sells it on ebay,
> 4chan buys it and lifts your prints, your mother gets a call...

Yes they do.

~~~
woodman
> None of this information is particularly secret or sensitive.

You are intentionally being obtuse if you don't see how a fingerprint database
is "sensitive". The argument doesn't take practicality into consideration,
potential bad actors just jumped from:

1) The government

2) Anybody who would go through the trouble of very noisily pulling all the
scattered public data together

To:

1) Anybody

While I am of the opinion that any data held by a third part (to include the
government) should be considered insecure, that doesn't blind me to the
practical impact of a massive data dump.

~~~
fweespee_ch
> 2) Anybody who would go through the trouble of very noisily pulling all the
> scattered public data together

I guess I consider that Anybody but fair enough.

------
tomc1985
I don't get it. What is the point of a breach like this?

~~~
fweespee_ch
Getting news coverage for the lulz.

------
xerxes777
It's here: [http://lulzsecpinas.ml/](http://lulzsecpinas.ml/)

~~~
finnn
Seriously? All links that aren't directly to one of their mirrors are facebook
links?

EDIT: Also, looks like all their mirrors are down, so here's the magnet link
(from the archive.org torrent):
magnet:?xt=urn:btih:bf682442530dac923d030ce225e92fd6d0284f21&dn=ComelecDB1

