COMELEC 'Comeleak' voter database breach
Hackers defaced the Philippine Commission on Elections website and leaked its entire voter registration database — records on roughly 55 million voters, including 15.8 million fingerprints and 1.3 million overseas passport numbers — in one of the largest government breaches ever.
- Victim
- Commission on Elections (COMELEC)
- records
- 55.0M
- users
- 55.0M
On 27 March 2016, hackers defaced the website of the Philippine Commission on Elections (COMELEC) and, within hours, posted its entire voter registration database online. The exposure of personal data on roughly 55 million registered voters — six weeks before a national election — became known as "Comeleak" and ranks among the largest government data breaches in history.
What happened
Two groups were involved. Anonymous Philippines defaced the COMELEC homepage, leaving a message demanding tighter security for the vote-counting machines to be used in the 9 May 2016 general election. Hours later, a second group, LulzSec Pilipinas, published the full database — about 340 gigabytes of data — on a public mirror.
Investigators later established that LulzSec member Joenel de Asis had downloaded the database on 22 March, five days before the defacement, exploiting weak security on COMELEC's web infrastructure.
Data exposed
The leaked records contained:
- Full names, dates of birth, and home and email addresses
- Parents' full names
- 15.8 million fingerprint records
- Passport numbers and expiry dates of 1.3 million overseas (OFW) voters
The biometric and passport data made the leak far more damaging than a typical voter-roll exposure, creating long-term identity-theft and fraud risk for tens of millions of Filipinos.
Arrests and prosecution
The National Bureau of Investigation moved quickly. Paul Biteng, a 20-year-old IT graduate linked to Anonymous Philippines, was arrested on 20 April 2016 and admitted to the defacement while denying involvement in the leak. Joenel de Asis, a 23-year-old leader of LulzSec Pilipinas, was arrested on 28 April and admitted downloading and leaking the database.
Regulatory fallout
In a landmark ruling on 28 December 2016, the National Privacy Commission (NPC) found that COMELEC had violated the Data Privacy Act of 2012 through inadequate safeguards, and recommended the criminal prosecution of COMELEC Chairman Andres Bautista for negligence. It was the NPC's first major enforcement action and set a precedent that agency heads could be held personally accountable for data-protection failures.
Why it matters
Comeleak is the Philippines' defining government breach: a near-total exposure of the national electorate's personal and biometric data on the eve of a presidential election. It catalysed enforcement of the Data Privacy Act, established personal accountability for public officials, and remains a global cautionary tale about the concentration of sensitive identity and biometric data in election systems.
Timeline
Joenel de Asis (LulzSec Pilipinas) downloads the COMELEC voter database, five days before the public defacement.
Anonymous Philippines defaces the COMELEC website; hours later LulzSec Pilipinas posts the entire database online.
COMELEC restores its website and downplays the severity, claiming no sensitive data was compromised.
Paul Biteng is arrested by the NBI for defacing the website.
Joenel de Asis is arrested; he admits downloading and leaking the database.
The National Privacy Commission finds COMELEC violated the Data Privacy Act and recommends criminal prosecution of Chairman Andres Bautista.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Commission_on_Elections_data_breach
- theregister.comhttps://www.theregister.com/2016/04/07/philippine_voter_data_breach/
- voanews.comhttps://www.voanews.com/a/hackers-expose-information-millions-philippine-voters/3280046.html
- newsinfo.inquirer.nethttps://newsinfo.inquirer.net/1539249/in-the-know-the-2016-comeleak
- fma.phhttps://fma.ph/national-privacy-commission-to-issue-findings-on-comelec-breach/