The National Privacy Commission (NPC) on Tuesday ordered the Commission on Elections (COMELEC) to explain in a clarificatory meeting on January 25 the alleged hacking first reported by the Manila Bulletin on January 10.
In a statement, the NPC also ordered the Manila Bulletin and Art Samaniego Jr., technology editor and information and communications technology head of Manila Bulletin Publishing Corporation, to appear in the meeting.
The order comes after the Manila Bulletin reported that COMELEC's servers were allegedly hacked on January 8, where the 60-gigabytes worth of data files including usernames and PINS of vote-counting machines were downloaded.
According to the Manila Bulletin, other downloaded files include "network diagrams, IP addresses, list of all privileged users, domain admin credentials, list of all passwords and domain policies, access to the ballot handling dashboard, and QR code captures of the bureau of canvassers with login and password."
NPC Privacy Commissioner John Henry Naga said in a statement they were also informed by Samaniego of the suspected breach and commenced its own investigation over the matter.
"The COMELEC must address the serious allegations made in the Manila Bulletin news report and determine whether personal data were indeed compromised, particularly personal information, sensitive personal information, or data affecting the same, which were processed in connection with the upcoming 2022 national and local elections," Naga said in a statement.
"COMELEC is also directed to conduct a comprehensive investigation on the matter and submit to the NPC the results thereof no later than January 21, 2022," he added.
COMELEC spokesperson James Jimenez previously said that some of the data allegedly downloaded by the hackers do not yet exist in COMELEC systems because they "have not yet been completed."
"This calls into question the veracity of the hacking claim," Jimenez said in another radio interview.
The NPC said that it does not "tolerate any act in violation of the Data Privacy Act," which includes negligence in implementing physical and technical security measures on personal data and processing systems.