Back to News

Comelec hacking: A lesson on cybersecurity

By Manila Bulletin | 29th April 2016

Comelec hacking: A lesson on cybersecurity

Even the most secure government institutions in the most security-conscious countries have fallen prey to hackers - it is obvious that organisations need to stop scrimping on cybersecurity initiatives and give network and data security the importance it deserves.

This article was published by www.mb.com

All over the world, there have been increasing instances of online security breaches, cyber attacks, and data theft. The security breach and data theft on the Commission on Elections (Comelec) online database is just the latest incident of this nature.

Recently, an American Internal Revenue Service (IRS) was also attacked by identity thieves who eventually succeeded in getting the PINS of around 101,000 previously stolen Social Security numbers. Last March, a group of unknown hackers broke into Bangladesh’s central bank, obtained credentials needed for payment transfers, and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.

Based on fresh reports of cyber attacks all over the world, it seems that even the most secure government institutions in even the most security-conscious countries have fallen prey to hackers, in one way or another—the FBI, Homeland Security, NASA, and even the Bangladesh Central Bank and our very own Comelec, to name just a few. The list is getting longer by the day.

The fact is that the amount of data that organizations often need to secure expands much faster than the efforts done to protect it. As data expands, so should the layers of protection provided for it.

When asked about the recent Comelec database hacking in an interview, Allyxon Cua, President of AMTI—a local technology and systems integration company that provides security solutions—said: “What happened to the COMELEC is still unclear to all of us. What we do know is that security was breached and important data was compromised.”

Cua stressed that the incident should make organizations and government agencies realize the need to continually increase security for their online databases.

It should be a wake-up call to every organization big or small. No one can afford to be complacent. The fact of the matter is that if we were to do a security audit of most organizations, both private and governmental, and both here and abroad, we would likely find potential sources of security leaks,” Cua said, emphasizing the fact that even the most secure organizations can fall prey to cyber-attacks.

Why? It’s because security is all about layers. There is in fact an eco-system of solutions that can be put in place in order to mitigate security risks. The more layers are built, the higher the probability of risk mitigation,” he added.

According to Cua, whose company AMTI has been providing security solutions for some of the biggest companies in the Philippines, security is a combination of technology, people and processes, and built-in layers, with more layers equating to better security.

Think about it like if you were accessing your money in the bank. There is a signature requirement. There is the need for you to claim the card at the bank in person. There are PINs associated with your account, one for the ATM and one for the telephone. Your ATM card also has a magnetic strip, a chip, and an encrypting technology, among other things,” Cua notes.

Amex UK even gets your digital print into your phone as a requirement for you to access your account. At the same time, when you go to the bank, there are levels of approvals for the cashier, supervisor and manager.  All of these are layers. A combination of technology, people and processes, all tied by a security strategy,” he adds.

Unfortunately, particularly here in the Philippines, many organizations do not give security strategy the level of importance it requires.  For instance, when security systems are put in place, the level of security remains the same despite the exponential growth of data being protected. And due to limited budget allocations, security strategy and layers of protection rarely get prioritized.

Companies realize later—and oftentimes too late—that a vulnerable organization is an expensive matter to resolve. The sadder fact is that not only are the companies themselves adversely affected—with a substantially dwindled credibility and an army of seething employees or customers—the personal security of so many innocent people becomes unjustly compromised.

Cua goes on to suggest: “To minimize the effects of the Comelec data leak, we must all change whatever info we can—change our passwords for all our accounts, and change our security questions for all our social media networks and online accounts, while ensuring that the answers are not obvious and are not reflected in any other document we have. We should also download or access information only from trusted sources. These may be little things, but they help greatly in neutralizing the possible consequences of the data breach.”

Based on the recent cyber attacks worldwide against institutions that we all believe to be secure and protected, it is obvious that organizations need to stop scrimping on cybersecurity initiatives and give network and data security the importance it deserves.