Personal Data Leaked From 100 Million Citizens of Turkey and the Philippines

These stories got somewhat buried in the wake of the Panama Papers, but are arguably just as significant. First up, Robert Tait, reporting for the Telegraph on the situation in Turkey:

Hackers claim to have accessed the personal details of nearly 50 million Turkish citizens and posted them online in a massive security breach that could seriously embarrass the country’s government.

If confirmed, it would be one of the biggest public leaks of personal data ever seen, experts said – effectively putting two-thirds of the country’s population at risk of fraud and identity theft. AP reported on Monday that it had partially verified the leak as authentic.

Personal information including national identity numbers, addresses, dates of birth and names of parents were all posted online in a downloadable 6.6 GB file.

Additionally, Michael Bueza and Wayne Manuel for Rappler, a Philippine and Indonesian news site:

Information security experts fear that what can be considered as the biggest leak of personal data in Philippine history could result in massive identity theft by preying criminals. This, after hackers boasted on March 27 that they had accessed the Comelec’s [Commission on Elections] database of 55 million registered voters and uploaded it online.

According to Trend Micro, the leaked data was significant, contrary to official denials:

Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.

Among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure.

The COMELEC website also shows real time ballot count during the actual elections. While COMELEC claims that this function will be done using a different website, we can only speculate if actual data will be placed here during the elections and if tampering with the data would affect the ballot count.

For many of you, these stories hit close to home — last year, the United States Office of Personnel Management, which keeps track of government employees, announced that records of between four and eighteen million employees were stolen.

And, since I mentioned the Panama Papers, Mossack Fonseca’s client portal is running an outdated version of Drupal — as in, it currently is, even after the publication of the biggest leak in the world.

There is an astonishing lack of basic information security practices at play here. Who stores their entire voter database in plain text on a public-facing website? Why are Turkey and the United States making citizens’ data available in a web-accessible manner? Why hasn’t Mossack Fonseca updated Drupal already?