Cybersecurity researcher Jeremiah Fowler uncovered a significant data breach involving a non-password-protected database housing more than 200,000 records, including sensitive information of students and parents.
The database, which spanned a whopping 153.76 GB, contained a total of 210,020 records. Upon analysis, Fowler determined that the documents were associated with the Online Voucher Application (OVAP) program, a digital platform developed by the Philippines’ Department of Education (DepEd) and the Private Education Assistance Committee (PEAC).
Prompt action ensued as Fowler initiated a responsible disclosure notice to both the DepEd and the National Privacy Commission (NPC) of the Philippines. The NPC responded swiftly, confirming that they had secured the compromised database and commenced further investigations. However, crucial details remain murky, including the ownership and management of the database, the duration of exposure, and the possibility of unauthorized access.
Inside the exposed database, Fowler uncovered a treasure trove of sensitive documents containing personally identifiable information (PII). These included tax filings, voucher applications, consent forms, financial assistance records, and various official certificates. Of particular concern were the tax records, which divulged full names, addresses, phone numbers, employers, and tax identification numbers of individuals and their children. Additionally, the database contained image files of children’s profile photos, amplifying the severity of the breach.
The OVAP platform, designed to facilitate financial aid applications for eligible students, inadvertently became a potential security vulnerability due to the lack of password protection on stored documents. This oversight rendered the documents accessible to anyone with an internet connection, posing a significant risk to data privacy.
The Private Education Assistance Committee (PEAC), chaired by the Secretary of Education, oversees the OVAP program in collaboration with various educational associations. The program collects extensive personal and familial data from applicants, including details on income sources, property ownership, and familial relationships.
