₱90 Million Payment to Smartmatic Withheld by COMELEC After Data Breach

Smartmatic’s online infrastructure was reportedly breached, which prompted the Commission on Elections (COMELEC) to withhold payments to the company. Despite the incident, both parties assured that this will not jeopardize the 2022 polls. Smartmatic is the poll software provider for COMELEC.

The move was announced by COMELEC Chairman Saidamen Pangarungan during a hearing conducted by the Senate electoral reforms panel on Tuesday. Smartmatic had earlier secured a contract with COMELEC in 2021 for the procurement of the automated elections system (AES) software, which reached ₱402.725 million. Pangarungan noted that the third tranche of payment to Smartmatic amounting to ₱90 million is yet to be released.

Smartmatic has since acquired ₱3.119 billion in deals for the upcoming 2022 polls, which includes other contracts. “[The payment will be released] once we are convinced that Smartmatic is innocent about this leakage of data,” Pangarungan explained. This data breach was caused by Ricardo Argana, a rogue Smartmatic employee, who admitted to sharing “his credentials to an unknown third person whom he met through Facebook Messenger allegedly in exchange of free lectures.”

Argana was fired in January following the discovery of the incident, and the company has likewise enforced stricter measures. Smartmatic previously allowed employees to bring home their work laptops as part of its “honesty system,” but this has been revoked by the company. Smartmatic spokesman and former COMELEC commissioner Christian Robert Lim guaranteed that “This has zero impact on the elections. The files obtained by [former employee] Argana had no relation to what the Comelec is preparing for the elections.”

A probe conducted by the National Bureau of Investigation (NBI) also found that a hacker group called XSOX emailed Smartmatic in January asserting that they had “infiltrated” the company’s network and downloaded 60 gigabytes of data. The NBI, however, disproved this claim.

“When you compare it to the logs provided by Smartmatic, the former employee was only able to download 4 gigabytes of information,” elaborated NBI cybercrime division chief Victor Lorenzo. “That is why even if XSOX is threatening Smartmatic and the public that they are going to expose sensitive information, until now, they have failed to fulfill their threat.”

Hackers involved in the 2016 “Comeleak” scandal have also been regarded as persons of interest, according to Lorenzo. The COMELEC’s law department has also recommended blacklisting Smartmatic, terminating their contract, and filing criminal cases should the company be found to be liable for the data breach.

The COMELEC reiterated that it will remain unaffected despite the outcome of the probe. “Our system is not in any way connected to the internet. We are quite sure there’s no cyberattack in our system,” said COMELEC Commissioner Marlon Casquejo.

Source: Rappler