THE COMMISSION on Elections (Comelec) has withheld P90 million in payment from Smartmatic SGO Group for potential negligence after a data breach involving the software contractor for this year’s elections.

The election body would wait for the results of a government investigation before taking action, Comelec Chairman Saidamen B. Pangarungan told a Senate hearing on Tuesday.

The P90-million payment became due last March, but it would be released only after they are convinced that Smartmatic is innocent in the data leakage, he added.

The contractor has said the security breach had not compromised ballots and SD cards, adding it was limited to information on the company’s internal organization.

Senator Imelda “Imee” R. Marcos suggested changes to the Automated Election Law to require the advanced encryption standard (AES) provider to report to Comelec and the joint congressional oversight committee when an incident, breach or system interference occurs.

“The provider should show that its systems, its protocols are safe and secure over the long period of the election and the campaigns,” she said. “If it cannot secure its own system, how can we be confident that the system it provides Comelec is safe and secure?”

Mr. Pangarungan said they would study her suggestion. “It is not wise to take any drastic actions against Smartmatic that might prejudice the conduct of the elections on May 9.”

During the hearing, National Bureau of Investigation (NBI) Cyber-crime Division chief Victor V. Lorenzo said the primary suspect in the cyber-security breach, a former Smartmatic employee, might have worked with other people.

Smartmatic earlier said the former worker had downloaded nonsensitive, day-to-day operational materials from a repository readily available to all Smartmatic staff. He then shared it with people outside the company who have attempted to blackmail Smartmatic for money.

Ms. Marcos asked if there was a way of knowing if other Smartmatic employees at its Santa Rosa, Laguna warehouse were in cahoots with the suspect.

Smartmatic lawyer Christian Robert S. Lim, a former election commissioner, said there was no way, adding that they were monitoring their workers’ actions.

He added that they were evaluating their security systems. Smartmatic is “more stringently monitoring the traffic of internet servers now to determine if there is any unusual activity.”

It has also limited employee access to so-called configuration rooms, and workers can only get near machines for repairs.

“Maybe after the elections, there will be a series of training on cyber-security,” Election Commissioner Marlon S. Casquejo told senators.

They have also bought the AES software from Smartmatic as part of the contract so that the present system could be reused in the next elections without its help.

The NBI cited the need to appoint more specialized judges to handle cyber-crime cases.

Meanwhile, Comelec was set to send the official ballots for this year’s elections to city and municipal treasurers nationwide last night, it said in a statement.

It would deploy the ballots and supplies to be used in the May 9 elections from its warehouse in Pasig City in front of media and other groups. The event would also be streamed live on Facebook, it said.

Comelec finished printing all 67.4 million ballots on April 2. Last week, it started sending local absentee ballots for members of the military, police and media who can’t vote on election day. Local absentee voting will be held on April 27 to 29.

Election Commissioner George Erwin M. Garcia earlier said they would burn defective ballots in front of journalists, representatives of political parties, candidates and members of citizen’s arms. — Alyssa Nicole O. Tan and John Victor D. Ordoñez