When a nation is hacked: Understanding the ginormous Philippines data breach

Troy Hunt

Remember when OPM got breached last year? There was a lot of excitement in various parts of the world (namely the US) because here we had a government department (Office of Personnel Management), and they’d just lost 21.5 million records! These records included such sensitive data as names, dates of birth and addresses and by any reasonable measure, it was serious – that’s almost 7% of the country’s population!

Yet somehow, last week’s news that 55 million Filipino voters’ data was now out in the wild went largely unnoticed. Let’s put it down to a very western-centric tech media but move past that and look at this incident for what it is – a ginormous data breach with extremely sensitive information and at 55M individuals, that’s also more than half the country’s population.

Read on…


  1. JON LIMJAP: What To Do To Protect Yourself If Your Personal Info Is
    Compromised Due to the Recent COMELEC Database Hacking Incident.
    You probably know by now that your personal data has been compromised when COMELEC’s voter database has been hacked and stolen. Some people have confirmed that their personal data has been compromised by the website (wehaveyourdata.com) but PLEASE REFRAIN from using this site as you may expose yourself to further risk.
    A variety of personal data is included in the site: full legal name including your mother’s maiden last name, full birthdate, permanent addresses, and even the image of your fingerprints. OFWs are even more adversely affected as it contains passport information and their address abroad. All of these information can be used against you in the form of identity theft.
    If your personal information is compromised, here are the possible things that might possibly happen to you:
    • Credit card fraud thru over the phone or online purchases with assistance from your credit card company by providing personal details
    • Access to your bank accounts and information by providing your personal details – Receive phishing e-mails coming from individuals or institutions identifying itself as a bank asking information of password or PIN reset
    • Take over your email and social media accounts (Facebook, Instagram, Twitter, etc) by requesting a request password
    • Receive phishing e-mails coming from individuals or institutions identifying itself as a bank asking information of password or pin reset.
    • Email reset request with links
    • You will probably get notices from COMELEC or NBI or any other government or organizations such as banks asking you to check if your name is included in the stolen database.
    These are the things you can do to protect yourself:
    • Change all your passwords, with a unique password for each online account
    • Use password management applications such as 1Password or Passkeeper
    • Change your forgot password secret question and answer making sure to avoid using “Mother’s Maiden Name” as your secret question and answer
    • Use two-factor authentication for all your online banking accounts. If possible, avoid using your cellphone number and use mobile applications and/or physical security devices for two-factor authentication
    • Do not respond to calls from anyone asking you for your personal information, especially your full name, address, and mother’s maiden name. Only provide such information if you’ve called your bank yourself, and as much as possible limit these interactions.
    • Do not follow links received via email, especially those asking you to input your password, or answer questions with personal information. Only provide such information if you’ve personally opened an online banking website yourself
    • Be weary of notices from government, organizations like banks verifying about your personal information
    • Do not open email attachments from email addresses that you don’t know and expect, especially when the files are in HTML, ZIP, JPG, DCOM, RAR, JAR, TGZ, TAR, JS, and APK format.
    This list is by no means complete, so always remember to be vigilant, and in the event of suspicious activity immediately contact the help desk of the online service or financial institution you are subscribed to.
    Edits have been made pointing out the following:
    1. Adding details of the kind of information compromised and adding a final warning.
    2. Adding more detail on the risk faced by OFWs.
    3. Adding a warning that using the aforementioned website exposes users to more security risk
    4. Adding more formats to the list of dangerous attachment types.
    Written by Jon Limjap, Milo Pacamara and compiled by Humprey Cogay and Toto Gamboa