MANILA, Philippines — A total of 210,020 student and parent records amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP).
Cybersecurity researcher Jeremiah Fowler said the platform had no password protection, letting anyone with an internet connection access them.
Fowler said the database contained Personal Identifiable Information or PII, including the following:
Applicant’s Personal Data:
- Full name
- Learner Reference Number (LRN)
- Date of birth
- Gender
- City/Municipality and Province of birth
- Citizenship/Nationality
- Home address and contact information (mobile phone, landline number, email address)
- Junior High School enrolled in (including address and school fees)
- If applicable, whether the applicant has received financial assistance from the school
Applicant’s Family Data:
- Father/Mother/Guardian’s name
- Source/s of income
- Gross monthly income
- Proof of financial capacity
- Sibling/s name and age
- Properties owned (vehicle, real estate, house)
- If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity
READ: DepEd: No hacking in regional offices despite alleged data leak
The co-founder of Security Discovery discovered and reported the leak to the vpnMentor company on February 20, 2024.
Fowler sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC) of the Philippines. In response, the latter allegedly said it had secured the database and was investigating the incident further.
However, Fowler said it was unclear how long the records were exposed or if anyone else gained access to the database.
READ: How to share your Wi-fi password
The Department of Education developed the OVAP as a means for eligible students to seek financial assistance. They could apply for vouchers to cover Senior High School education costs in private and participating non-public schools.
The online platform helps students and parents submit applications and required documents electronically. However, Fowler said only an internal forensic audit would be able to identify unauthorized access or potential malicious activity.
Read more about this report here.