Over 200,000 student and parent data exposed in PH education platform

Over 200,000 student and parent data exposed in PH education platform
Cybersecurity researcher Jeremiah Fowler says a total of 210,020 student and parent data amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP), which was developed by the Philippines’ Department of Education as a means for eligible students to seek financial assistance. Free stock photo from Pexels

MANILA, Philippines — A total of 210,020 student and parent records amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP). 

Cybersecurity researcher Jeremiah Fowler said the platform had no password protection, letting anyone with an internet connection access them.

Fowler said the database contained Personal Identifiable Information or PII, including the following: 

Applicant’s Personal Data:

Applicant’s Family Data:

READ: DepEd: No hacking in regional offices despite alleged data leak

The co-founder of Security Discovery discovered and reported the leak to the vpnMentor company on February 20, 2024.

Fowler sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC) of the Philippines. In response, the latter allegedly said it had secured the database and was investigating the incident further.

However, Fowler said it was unclear how long the records were exposed or if anyone else gained access to the database. 

READ: How to share your Wi-fi password

The Department of Education developed the OVAP as a means for eligible students to seek financial assistance. They could apply for vouchers to cover Senior High School education costs in private and participating non-public schools. 

The online platform helps students and parents submit applications and required documents electronically. However, Fowler said only an internal forensic audit would be able to identify unauthorized access or potential malicious activity. 

Read more about this report here.

Read more...