Updated 17:12 PM PHT Thu, January 5, 2017
Metro Manila (CNN Philippines) — The Commission on Elections (Comelec) and its Chairman Andres Bautista are liable for the data breach that put the personal information of millions of voters at risk, the National Privacy Commission (NPC) said on Thursday.
NPC said Comelec and Bautista violated the Data Privacy Act of 2012; it recommended the filing of criminal charges against the Chairman.
The data protection and privacy authority highlighted Bautista's "lack of appreciation" that data protection is more than just the implementation of security measures. NPC added, as chairman of Comelec, Bautista should have made sure that regular review and evaluation of the poll body's privacy and security policies were implemented.
It also said Comelec failed its duty as a personal information controller.
According to the law, the violation of the Data Privacy Act due to negligence is punishable of three to six months imprisonment, and a fine of P500,000 to P4 million. If a government official is proven guilty of this crime, he or she will be disqualified from public office.
NPC also recommended that Justice Secretary Vitaliano Aguirre III further investigate the issue for possible prosecution.
Bautista: Why file a case against me?
Bautista told CNN Philippines he was surprised upon learning NPC's decision, saying the hackers are liable for the data breach and not the poll body.
"Nakakabigla ito dahil sa aking palagay may mga pagkakamaling nakikita ang NPC. Ang hacking ay nangyayari sa buong mundo. Kahit sa U.S. government, naha-hack. Dapat bigyang tuon 'yung paghuli ng mga hacker kaysa parusahan ang naha-hack," he said.
[Translation: This is surprising because in my opinion, the NPC saw mistakes were made. Hacking happens the world over. Even the U.S. Government was hacked. Efforts must be focused on arresting the hackers instead of punishing those who were hacked.]
He also raised questions on the credibility of NPC.
"Itong NPC nabuo lang ito noong Marso 2016. Wala pa po silang binibigay na implementing rules and regulations, kung kaya hindi namin alam ang standard na dapat sundin," he said.
[Translation: The NPC was established only in March 2016. They never issued to use any implementing rules and regulations, which is why we never had any idea what standards to follow.]
Bautista also pointed out that the IT Department of Comelec — which was directly in charge of the website — was not found liable for the security breach, so he's asking why the NPC recommending a filing of criminal case against him.
"Bakit ako, bilang pinuno? Kung magka-breach sa website sa Supreme Court, ang kakasuhan ba ay si Chief Justice Sereno?" he said.
[Translation: Why me, as chief? If there's a breach in the Supreme Court website, should a case be filed against Chief Justice Sereno?]
The Chairman said Comelec did all it could to resolve the hacking.
"Walang ginawang kapabayaan ang Comelec dito... Nung nangyari ito, ginawa namin ang lahat ng makakaya para mabawasan ang danyos," he said.
[Translation: The Comelec was never negligient. When this happened, we did everything we could to lessen the damage.]
Bautista, in a statement, also said the NPC's findings were based on a "misappreciation of several facts, legal points, and material contexts."
Comelec said the Office of the Solicitor General will file a motion for reconsideration with the NPC.
'Worst recorded breach'
NPC's investigation said the data breach compromised the voter database in the Precinct Finder web app, which stored 75 million records — including the firearms ban database; and Comelec personnel database, which contained the personal records of 1,267 employees.
NPC called the breach the "worst recorded breach on a government-held personal database in the world, based on sheer volume."
Last March 27, hacktivist group Anonymous Philippines hacked the poll body's website, asking Comelec to make sure the PCOS have security features in place. Hours later, another group named Lulzsec Pilipinas, posted Comelec's entire database and leaked it on Facebook, with three mirror links to download the database.
The suspected hackers are in the custody of the police and are facing charges.
CNN Philippines correspondent JC Gotinga contributed to this report.