Uni 105 Ant Carga Cents Veo Sas Sakodo Viays 1227 Meteo Mac (2 oR287I60 sr4tas. 462.A873803 (earned banti iis Fp 22, 2016 > ee Grete evar san sth) Yon sm ain Dopo au NT oezeame HU Paeoe Sea rosa Nil een AlU) {niramuros, Manila : ave Ua fe (Ene [eae | Dear Commissioner Bautista z We write on behalf of our client, Jose Ramon G. Albert, Ph.D., 2 senior research fellow of the Philippine Institute for Development Studios, former Secretary General of the now defunct National Stalistical Coordination Board, and member of the Privacy Advisory Group of the United Nations Global Pulse, regarding the recent massive leak into the web by hackers of sensitive personel information belonging to 55 milion Filpino voters supposedly in the protection and custody of the Comelec: Indeed, since early Apri, there had been persistent reports that the Comolec's system has been hacked, and that information pertaining to sensiive personal information of Fiipino voters based here ‘and abroad has been taken. Credible information technology (IT) securily and news websites, such as TrendMiom and Wired.com, have reported that voters’ data ~ ranging from birthdates to passport numbers and even fingerprints — has been dumped into the internet, compromising the secunty of millions of Filipino voters. But sinco news broke out in the inlemational media about this horrendous data breach, the ‘Cometec ~ through your good self and its spokesperson, Mr. James Jimenez — has boen fess than forthright about t, consistently downplaying it as nothing to worry about, and claiming thatthe information Teaked by hackers tothe web ace no more than the kind that is already publicly avallable Today's news reports, however, now clearly belie these claims. Voters’ data ~ fom a person's voting precinet to fngorpinis — was made availabe in a Russian-based website called Philippines we ave your datarb and al that one had fo do was Key in one’s ist and last ames, to get information on that person's voter's records, When he found out about i, our client Me. Albert personally checked if his sensitve personel information were indeed searchable through the said website He was shocked to see that sensitive personal information he had provided to the Comelec during voters registration are now publicly available tough tho website, including suc information as tag voaora, hie bidhdate, his address, his sex, and his fingerprints. These are, by any stretch, no dreinary personal information readily available inthe public domain. ‘As a member of the Privacy Advisory Group of the UN Giobal Pulse, Dr. Albert understands very wel the wegalve impleations of this hacking incident to the informational sacuiy of al the effected voters. fort to our cent o hear of fakin cteles of information technology experts ‘Algo, it gives litle com \g and leaving Comelec's servers at will fr the last three that the hackers had apparently been enterin years ‘question yielded sensitive personal information ors and actresses, and to many alher prominent inal the breach spared ordinary citizens. Indeed, our own checking of the website in polonging to the Justices of the Supreme Court, to ac personalities in Philippine society. And this is not to say tat breach was not ‘olin ¥ provi ats ess 7 breach was a hey ron Ty eee ‘a eee Sensitive personel information involved in the Submit them, if they wanted to exerciso thair right to that you Wo ver the Philipines wo have your ead abst. Foweve’, te ippines we have your data:h website. However, the 'd, inasmuch as it raises more questions than apology you hi avi eee © offered stil leaves much to be dost Sect ection 20(0 of the RA 1173, he Data Privacy Act of 2042, where such ao" as th h ar ate 2 Sbigaion ooiy the Data Privacy Commission and afected dat a lescrbe the nature ofthe breach, the sensitive personal information leasuros taken by the enfity to address the breach, First, under Occurred, the Comelec h: Subjects. The notice she possibly invoWed, and Itha {0 give tore can almost a month now sino the Incident happoned. Yat unt now, the Come has yt 6, GNe formal notfcation to al the registered veers regarding the breach, as required by Section 20 ate ivacy Act, The Comelec’s long silence on what has been dubbed as the worst incident of fata theft in digital history is simply incomprehensible. Second, under Section 21 (b) of the Data Privacy Act, the Comelec has a legal obligation (0 designate who are the officials accountable for its compliance with the provisions of the Act. Third, we elso take this opportunity fo remind you that under Sec. 30 of the Data Privacy Act, itis fa crime to conceal security breaches involving sensitive personal information, with a penalty of imprisonmentof one year and six months to five years and a fine of not less than Php 600,000.00 but not more than Php1,000,000.00. ‘Through this letter, our cifent, as a service to the public and fo protect his own informational privacy, now formally demands thatthe Comelac oti as required by tw the Data Privacy Commission Priva 'sB milion registered Filipino voters, of (a) this hacking incident anc! the resulting massive leak of ant Five, personal information (including the exect nature of the information released) (e) of the sotves taken by it fo address tho breach and (¢) of who are tho ofciais designated by the Comelec hs accountable for its compliance with the lav. Given the urgency of the matter ~ considering that 2s it has been nearly @ month since the massive breach happened - we ask thatthe Comer lake immediate steps fo do 60, Gan ea hours from receipt of this letter. written demand now being made before your good office is without prejudice to resort his formal ae istrative, owil and criminal remedies also available to him under law. py our client to adr Very tly yours,