The Philippines’ Commission on Election (Comelec) hacking has created one massive data leak that affected almost, or perhaps all of the registered Filipino voters. A few days ago, there was a website that provided access to the available information by using one’s name as search term, and it shows all available information under that name. I just had to check which part of my personal information have been leaked, so that I know my personal risk factors connected to the leak. Indeed, my name was there, including some Personally identifiable information (PII).
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.(http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information)
I won’t enumerate what my leaked data contained to retain a sense of security. But let’s just say if someone was determined to do something about it, there may be bits of information that can be useful to them, if I am not careful of my transactions both online and offline. And my information is already out there somewhere in the internet and most probably in the dark web, it will probably be there forever.
Blame it on the government’s incompetence in digital security. However, no amount of blaming can reverse what has already been released to the world. Somehow I’m also a bit thankful of the government’s general incompetence in data management because there were some typos in my data that might make a difference. And I’m thankful that there is essentially no data consolidation across the different government agencies, so the leak in PII from one government entity did not connect to all other available personal information in other government agencies.
So now that my (any everyone else’s) personal data has been compromised, what can we do to protect ourselves from any harm that it can cause?
- Secure all your accounts. This is very important for all financial accounts, digital and online accounts, as well as any other accounts that may be accessed using your PII.
- A lot financial institutions verify transactions using PIIs (e.g. mother’s maiden name, home address, etc.), but there are additional security features which may be available from some institutions such as mobile notifications or email notifications. This will alert your if there are any dubious transactions under your accounts.
- Ensure that your passwords online are very secure, including your password recover options. Change all your passwords if you think your password may also have been compromised. For password recovery options, avoid using PII. Use strong passwords as much as possible. See tips here: https://support.google.com/accounts/answer/32040?hl=en. If possible, also utilise extra layers of security available such as the 2-step verification.
- Monitor your transactions. Online banking is a pretty good way to monitor all activities in your account to ensure that nothing goes wrong, or if something goes wrong, you’ll be able to do something about it immediately. This also goes for your other accounts.
- Avoid phishing attempts.
- Phone call phishing. In the past, I’ve already experienced receiving a call from someone who was posing to be from my bank and attempting to “verify” my personal information. I’m quite wary about those since I was not expecting that call, and there were other means to verify and update my information, so I did not give any information. I can imagine that possibly happening with the available information, with phishing attempts to get more information that may be used in identity theft.
- Email phishing. Be careful when you open emails, especially those that you are not expecting, or those from senders that you are not familiar with. Make sure you don’t click on unnecessary links that may send your computer viruses, or hack your accounts, or steal your information.
- Keep a low profile. Remember that there the leaked information is comprised of millions of individuals, and you are only one of them. Since the information is mostly searchable by name, it may be the more popular and known one’s to be first targeted by criminals or what-nots. Remember BIR? It was the people who show up on the news (no matter how un-connected to taxes) who get their income tax closely reviewed and scrutinized. I would think it may be the same for this massive data leak. If you’re relatively unknown and do not seem to have a lot to offer, hopefully you’ll just go unnoticed.
- Use an alias online. Or at the very least, do not display your full legal name (with your middle and last names) on your social media and other online accounts. It may give you one thin layer of protection since the leaked information has your full name.
What else? I really don’t know, I’m not a data security expert. These are just some ways I can think about on how to protect myself, and how you can protect yourself in the midst of this massive mess that is the Comelec data breach.