After about two months of investigation and various denials from different concerned agencies, lawmakers on Thursday, March 17 confirmed that there was "indeed a security breach" in the operations of the Commission on Elections' (Comelec) service contractor, Smartmatic.
Senator Imee Marcos, chairperson of the Joint Congressional Oversight Committee (JCOC) on the Automated Election System, told reporters that the data breach compromises "the processes and operations of Smartmatic in very serious ways".
Although Marcos didn't consider the data breach as hacking, Senate President Vicent "Tito" Sotto said "technically, it was a hacking."
Lawmakers made the discovery after conducting three hearings, including a closed-door session with representatives from Comelec, Smartmatic, National Bureau of Investigation (NBI), Department of Information and Technology (DICT), and various poll watchdog groups, among other agencies.
The investigations were prompted by a Manila Bulletin report in January stating that Comelec servers were hacked, resulting to possible compromised voters' information.
"What is clear: Art Samaniego, Manila Bulletin, and the media have been the best watchdog," Marcos concluded.
However, Smartmatic's spokesman, Christopher Louie Ocampo denied the lawmakers' report.
"Gusto lang po naming i-clarify 'no...na supposedly merong personal data breach sa Comelec or sa Smartmatic that could possibly affect the 2022 national and local elections. Gusto lang po naming klaruhin na hindi po 'yung totoo (We just want to clarify that, supposedly, there was a personal data breach from the part of Comelec or Smartmatic that could possibly affect the 2022 national elections. We just want to clarify that it's not true)," he said.
"Hindi po involved sa processing or storing ng personal data of any voter for the 2022 elections (We're not involved in the processing or storing of personal data of any voter for the 2022 elections)," he added. "Ang Smartmatic po, ang kontrata lang po is to provide the automated election system (The contract of Smartmatic is only to provide the automated election system)."
Marcos, sister of frontrunning presidential aspirant Ferdinand "Bongbong" Marcos Jr., said the media "was right" in its report of the alleged hacking.
"Something did happen despite the vociferous denials of all institutions concerned in the past two hearings," she said. "Merong kababalaghan na nangyayari (There were shenanigans happening)."
Marcos said investigations are stil being conducted by the NBI, DICT's Cybercrime Investigation and Coordinating Center, and National Privacy Commission, among others.
Among other data breaches that happened included a Smartmatic employee who managed to take home his or her laptop and allowed a "certain group" to copy their data, the lawmakers said.
"But the potential for a very serious breach is now there. Because it appears that Smartmatic as all its contractual employees who have access to very confidential data, locations and other facilities. It's rather alarming," Marcos said.
The lawmaker said personal information of several individuals, including those who "play golf and drink wine," were disclosed and are now even posted on Facebook.
"The Comelec has said na tapos na yun, di na raw sila papayagan... Subalit ito nga, ano pa ang access nitong contractual employees, itong mga take home na mga issued laptops at saka yung mga binibigyan na remote access na iba ibang tao (that it's all done. The employees will not be allowed to get access to the data. But this happened. So what else do contractual employees have access to? How about these take home issued laptops and who are the people they give remote access to)," she said.
Manila Bulletin reported in January that sensitive voter information may have been compromised after a group of hackers managed to breach the servers of Comelec and downloaded more than 60 gigabytes of data that could possibly affect the May 2022 elections.
The report also stated that the other downloaded files included network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with login and password.
The lawmakers did not specify from which election year were the purported breach happened.