NPC conducts separate clarificatory meetings with Manila Bulletin and the COMELEC

The National Privacy Commission (NPC) conducted separate clarificatory meetings on January 25, 2022 with representatives from the Commission on Elections (COMELEC) and Manila Bulletin regarding the alleged hacking and data breach involving COMELEC servers.

COMELEC denied that the database of overseas voters was compromised and clarified that a list of overseas voters is made publicly available on their website as mandated by law. When asked to confirm if some of the artifacts came from their servers, COMELEC reiterated that it cannot be so since those were not yet generated for the 2022 elections.

On the topic of their full incident report, COMELEC sought for extension of time to submit the approved report. NPC issued a subsequent Order reiterating to the COMELEC to submit said incident report and provide answers to the clarificatory questions stated in the NPC Order dated January 21, 2022. The COMELEC is directed to submit the full incident report on or before January 27, 2022. It is also ordered to submit additional documents discussed during the clarificatory meeting.

In a separate clarificatory meeting, Mr. Art Samaniego, Jr. and Manila Bulletin confirmed that the artifacts gathered by the NPC are the same artifacts that were the basis of their published report. NPC required Mr. Samaniego and Manila Bulletin to provide additional artifacts for analysis and comparison with the artifacts collected by NPC’s Complaints and Investigation Division. The artifacts were submitted to the Commission yesterday, January 26, 2022.

NPC also summons a third-party provider of COMELEC possibly involved in the issue to appear in a clarificatory hearing before the NPC. The Commission is also pursuing leads regarding this issue, including a group of hackers claiming responsibility for the hack, especially on matters involving personal data.

“Rest assured we are continuing the investigation to determine if personal data was compromised, violations of the Data Privacy Act were committed, and the responsible individual or group for this incident,” said Privacy Commissioner John Henry D. Naga.

The separate meetings were attended by Executive Director Bartolome Sinoruz, Jr., Director James Jimenez, and Director Jeanni Flororita from COMELEC; and Mr. Herminio Coloma, Jr., General Reynaldo Rafal, and Mr. Art Samaniego, Jr. from the Manila Bulletin.