Over 200,000 student and parent data exposed in PH education platform

By: Dale Arasa - 9 months ago

Cybersecurity researcher Jeremiah Fowler says a total of 210,020 student and parent data amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP), which was developed by the Philippines’ Department of Education as a means for eligible students to seek financial assistance. Free stock photo from Pexels

Over 200,000 student and parent data exposed in PH education platform — Cybersecurity researcher Jeremiah Fowler says a total of 210,020 student and parent data amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP), which was developed by the Philippines’ Department of Education as a means for eligible students to seek financial assistance. Free stock photo from Pexels

MANILA, Philippines — A total of 210,020 student and parent records amounting to 153.76 GB were left unprotected in the Online Voucher Application (OVAP).

Cybersecurity researcher Jeremiah Fowler said the platform had no password protection, letting anyone with an internet connection access them.

Fowler said the database contained Personal Identifiable Information or PII, including the following:

Applicant’s Personal Data:

Full name
Learner Reference Number (LRN)
Date of birth
Gender
City/Municipality and Province of birth
Citizenship/Nationality
Home address and contact information (mobile phone, landline number, email address)
Junior High School enrolled in (including address and school fees)
If applicable, whether the applicant has received financial assistance from the school

Applicant’s Family Data:

Father/Mother/Guardian’s name
Source/s of income
Gross monthly income
Proof of financial capacity
Sibling/s name and age
Properties owned (vehicle, real estate, house)
If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity

READ: DepEd: No hacking in regional offices despite alleged data leak

The co-founder of Security Discovery discovered and reported the leak to the vpnMentor company on February 20, 2024.

Fowler sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC) of the Philippines. In response, the latter allegedly said it had secured the database and was investigating the incident further.

However, Fowler said it was unclear how long the records were exposed or if anyone else gained access to the database.

READ: How to share your Wi-fi password

The Department of Education developed the OVAP as a means for eligible students to seek financial assistance. They could apply for vouchers to cover Senior High School education costs in private and participating non-public schools.

The online platform helps students and parents submit applications and required documents electronically. However, Fowler said only an internal forensic audit would be able to identify unauthorized access or potential malicious activity.