Pangarungan said the Comelec will wait for the findings of the National Bureau of Investigation (NBI) before deciding on actions regarding its contract with Smartmatic, including slapping possible sanctions against the firm for any contract violations.

“Because we want to clear this matter about this leakage of some data,” Pangarungan further told the Senate panel.

Earlier, senators learned that there had been a “very serious” security breach in the operations of Smartmatic allegedly involving one of its employees who had access to confidential information.

“There, indeed, was a security breach in the Smartmatic operations,” Sen. Maria Imelda Josefa “Imee” Marcos, chairman of the Senate Committee on Electoral Reforms and People’s Participation, told reporters.

Pangarungan, who was appointed to head the commission by President Rodrigo Duterte in March this year, said the Comelec’s law department recommended that they wait for the conclusion of the NBI investigation of the Smartmatic data breach for them to assess the extent of such breach and what steps they would eventually take.

When the alleged data breach was reported, Pangarungan said Comelec lawyers studied options the commission might adopt should Smartmatic be shown to have violated its contract on the automated election system (AES), if Smartmatic has any contact with a partisan group or organization or has violated confidentiality and the Data Privacy Law.

These options include, the Comelec chief said, a recommendation for the termination of the Smartmatic contract and forfeiture of its performance security fee.

They also include a recommendation for damages and the filing of criminal charges based on the Data Privacy Law.

Pangarungan gave assurances that the Smartmatic case will not affect the May 9, 2022 elections.

Also during the hearing, Victor Lorenzo, head of the NBI cybercrime division, said he is convinced that a former contractual employee, Ricardo Argana, did not act alone in the alleged breaching of data.

It was impossible for one man to have committed 726 logins or enter a data server of Smartmatic in just six days, Lorenzo explained.

In their presentation, he said Argana is facing an administrative inquiry by Smartmatic.

Smartmatic officials said they are considering filing a damage suit against their former employee.

Argana reportedly admitted that somebody offered him free training modules in exchange for a line connection to a third party with Smartmatic, but did not know the third person because he was just contacted by Facebook Messenger.

When prodded by the NBI, he said he was promised from P50,000 to P300,000 by the third person.

Argana, the NBI said, has been accused of illegal access and data interference before the Taguig City Fiscal’s Office.

He was reportedly hired by Smartmatic in August 2021 as a quality assurance staff and was detailed at a Comelec warehouse in November 2021 to test the AES.

In December 2021 until January 2, Smartmatic noticed an unusual traffic and the download of its computer system, which was later traced to Argana who was found to have brought home a company-issued laptop.

The NBI said there are other persons of interest based on the Facebook posts of SXOX Group.

It also explained that it saw a pattern of hacking at Smartmatic and a hacking of Comelec server in 2016 described as “Comeleak,” and the so-called “IloIlo Blackhat,” which saw the hacking of the city government and hospital databases in Iloilo City in 2018.

During the hearing, Marcos asked Smartmatic on changes that the company instituted in order to prevent another breach in its systems.

In response, Smartmatic legal counsel Christian Robert Lim agreed that there is no absolute way to determine if any of the personnel left is an ally or conspiring with their former employee, but he assured the senator that they are closely monitoring the actions of all their employees.

Lim, a former acting chairman of the Comelec, said Smartmatic has been coordinating with the NBI in the filing of charges against the primary suspect in the data breach.

Meanwhile, former police official Cezar Mancao 2nd, head of the Cybercrime Investigation and Coordination Center of the Department of Information and Communications Technology, said the CICC has initiated a technical working group that will look into cyber-related election offenses and ensure honest, fair and credible polls. — Javier Joe Ismael