Photographee.eu - Fotolia
The huge data breach suffered by the Philippine Commission on the Elections (Comelec) in April 2016 – just one month before an election – is a strong warning to organisations across the Association of Southeast Asian Nations (Asean) region to put in place security technology and policies to deter such attacks.
Two hacking groups, the Anonymous Philippines and LulzSec Philippines, claimed responsibility for stealing personal information, including fingerprint data and passport information, belonging to around 50 million people.
While Comelec claimed that no sensitive information was released, cyber security firm Trend Micro said the incident was the biggest government-related data breach in history, and included “the fingerprints of 15.8 million individuals, and passport numbers and expiry dates of 1.3 million overseas voters”.
As soon as the news of the hack emerged, questions were raised, such as: How was a hack of this magnitude allowed to happen? Why was the government in Manila downplaying the scale of this incident? Could such a hack have been prevented? What could governments in other Asean countries learn from this breach of security?
Why did the hack happen?
By late April 2016, the Philippines government had arrested two Manila-based individuals connected with the crime: Anonymous Philippines member Paul Biteng, a security researcher who now faces prosecution under the Cybercrime Prevention Act; and Jonel de Asis, a systems integrator at a semiconductor firm in Muntinlupa, who is part of LulzSec Philippines.
According to media reports, Asis hacked the site and stole 340GB of data five days before the site was defaced by Anonymous hacktivists. However, he denies uploading the stolen data to the WeHaveYourData.com site.
Boye Vanell, BAE Systems Applied Intelligence regional director Asia, claimed the website defacement contained messages that suggested Comelec had not properly secured the automated voting machines being used in the upcoming elections.
“Both groups [Anonymous Philippines and LulzSec Pilipinas] are loosely affiliated with their respective wider hacker collectives,” he said. “If this attack was indeed perpetrated by these groups, as has been claimed, then this is a case of an attack being carried out by cyber criminals known as activists.”
Activists are cyber criminals whose motivations are driven by a strong moral, religious or political belief, explained Vanell. In this case the motivator appears to have been political beliefs and distrust of the political system.
These groups are motivated by a desire to change the world, often via illegal or questionable means. As reported by the Manila Bulletin, Asis wanted to highlight security deficiencies in the Comelec website.
“Whether it be defacing a website, disrupting a network through a denial-of-service attack, or causing financial loss or loss of reputation to those with opposing beliefs, the activist often has the skills and the means to leave significant collateral damage in their wake,” said Vanell. “In this case, 50 million citizens' fingerprint data is now reportedly available.”
Hacking and data theft have become professionalised
This attack is the latest in a string of cyber incidents to have affected the Philippine government. Also in April, the Philippine central bank said it had foiled attempts to hack its website, “amid a warning from global financial network Swift [Society for Worldwide Interbank Financial Telecommunication] about recent multiple cyber fraud incidents targeting its system”.
While the Manila voter data hack was reportedly committed by activists, there are numerous threat actors out there – each and every one of them is dangerous in their own way. Hacking and data theft have become professionalised and industrialised, and it’s often organised, disciplined and well-funded.
“For emerging nations like the Philippines, this presents a considerable challenge where technology is revolutionising traditional industries and enabling enormous growth but is at the same time opening up new avenues for cyber attackers to exploit,” said Vanell.
However, it does not help if governments rush to a deny security breaches that make it to the headlines, according to Cathy Huang, research manager at IDC’s Asia-Pacific services and cloud research group.
“The denial of this hacking incident reflects typical behaviour when an organisation has been hacked or their data has been breached,” she said. “In some countries or some verticals, say the healthcare industry, the enforcement of reporting a data loss is very strict. However, the Philippines is one of the countries which may have the relevant personal data protection law on paper, but lacks effective enforcement.”
Combine threat intelligence with data analytics
Vanell claimed organisations need to “understand basic security hygiene as an essential first step, as the vast majority of cyber attacks will exploit unpatched servers or applications, and take advantage of relaxed security awareness.”
He added: “Organisations need to understand what it is they must defend, how exposed these assets are, and what their risk appetite is. Is it payment card details, is it personal data, is it intellectual property? Preparation before the attack comes is vital for reducing the impact on critical assets when it happens.”
“To prevent such attacks, there should be increased cyber security awareness across the organisation,” suggested Huang. “There needs to be management support with regular updates, not just after an incident happens. Organisations must update security patches regularly to ensure its IT system security is sufficiently robust.”
According to Vanell, organisations from the public and private sectors should take proactive measures to address cyber threats.
“On top of risk identification and asset protection, organisations can get on the front foot by understanding their likely threats,” he said. “Although the global connectivity of the internet may make it seem as if you’re exposed to the whole world, attacks will often come from local sources. This is particularly the case with activists, who may not agree with domestic government policies or groups impacting their immediate sphere of influence.”
Vanell explained that the recipe to prevent Manila-like security threats is by combining threat intelligence of the known threat actors and vectors, with data analytics which looks for potentially unknown threats through behavioural anomalies and patterns. “Ultimately, this needs to be supported with an effective incident response plan in the case that a cyber attack succeeds,” he concluded.