A massive data breach has been uncovered involving over 200,000 records of students and parents in the Philippines.
Cybersecurity researcher Jeremiah Fowler reported the vulnerability after discovering a non-password protected database linked to the Online Voucher Application (OVAP) program, a government initiative to aid students financially.
The OVAP platform served as a tool for eligible students who seek financial aid. Using OVAP, they can apply for vouchers to cover the costs of Senior High School education in private institutions or participating non-public schools.
The platform allows students or parents to submit their applications and the required documents electronically, making the process more accessible and convenient.
The following information was collected from applicants:
Applicant’s Personal Data:
- Full name
- Learner Reference Number (LRN)
- Date of birth
- Gender
- City/Municipality and Province of birth
- Citizenship/Nationality
- Home address and contact information (mobile phone, landline number, email address)
- Junior High School enrolled in (including address and school fees)
- If applicable, whether the applicant has received financial assistance from the school
Applicant’s Family Data:
- Father/Mother/Guardian’s name
- Source/s of income
- Gross monthly income
- Proof of financial capacity
- Sibling/s name and age.
- Properties owned (vehicle, real estate, house)
If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity
The exposed database, comprising 210,020 records and 153.76 GB of data, contained Personally Identifiable Information (PII) such as tax filings, voucher applications, consent forms, and certificates of various kinds.
The records were found unsecured, raising concerns over potential unauthorized access and misuse of sensitive data.
“In the wrong hands, Personally Identifiable Information such as names, addresses, contact details, and date of birth increases the potential risk of identity theft and impersonation. The breach exposed personal identifiers critical for identity verification,” Fowler said.
Children face the gravest risk because of this data breach.
“The students’ profile pictures, uploaded during the application process for identification purposes also pose a potential privacy violation. Children’s personal data is particularly sensitive, presenting a lifelong risk due to its vulnerability to future exploitation. Protecting children’s data is crucial as it safeguards their privacy, prevents potential harm, and helps establish a secure foundation for their future digital interactions and identities,” he added.
Fowler immediately alerted the Department of Education (DepEd) and the National Privacy Commission (NPC) of the Philippines, prompting swift action to secure the database.
Despite this, questions remain about the duration of exposure and the extent of any unauthorized access.
The OVAP platform, developed by the DepEd and the Private Education Assistance Committee (PEAC), is utilized by students seeking financial assistance for Senior High School education in private or non-public institutions.
Fowler’s findings highlight significant security lapses, as the personal and financial data of applicants and their families, including minors, was stored without password protection.
Detailed information from applicants, such as full names, birth data, income, and family details, were potentially at risk, increasing the vulnerability to financial fraud, phishing, and identity theft.
Fowler emphasizes the importance of cybersecurity measures and regular security audits to prevent such breaches.
This breach is a stark reminder of the risks associated with storing sensitive data and the importance of robust cybersecurity practices.
Fowler’s previous discovery of exposed documents from Philippine police agencies adds to the urgency for government bodies to reinforce their data protection protocols.
As of now, there is no evidence to suggest that the DepEd or OVAP have mismanaged the data.
However, Fowler advocates for continuous improvement in cybersecurity strategies to protect citizens’ sensitive information against evolving cyber threats.
