Over 200k Records of Students and Parents in the Philippines Exposed in High School Voucher Program Portal Data Breach

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained more than 200,000 records, which included sensitive files containing PII of students and parents.

The non-password protected cloud storage database contained a total of 210,020 records with a size of 153.76 GB. Upon further research, the documents indicated they were associated with a program called the Online Voucher Application (OVAP). This is the digital platform established by the Philippines’ Department of Education (DepEd) and the Private Education Assistance Committee (PEAC). I immediately sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC) of the Philippines. I received a reply from the NPC shortly after, claiming that they had secured the database and were investigating the matter further. It is not clear who owned and managed the database. It is also unclear how long the records were exposed or if anyone else may have gained access to the database, potentially compromising a wealth of personal data belonging to the students and their families. Only an internal forensic audit would be able to identify unauthorized access or potential malicious activity.

Inside the database I saw numerous documents that contained PII, including tax filings, voucher applications, parent or guardian consent forms, financial assistance, local government certifications, certificates of employment, death certificates, and other notarized or official documents. Tax records are considered highly sensitive as they contain the full name of the person who’s filing and their children, as well as their home address, phone number, employer, and tax identification numbers. The application folders also contained image files (profile photos) of the children.

The Philippines’ Department of Education developed the OVAP platform as a tool for eligible students who seek financial aid. Using OVAP, they can apply for vouchers to cover the costs of Senior High School education in private institutions or participating non-public schools. The platform allows students or parents to submit their applications and the required documents electronically, making the process more accessible and convenient. However, the exposure of OVAP documents is a serious potential security lapse as they were stored without password protection and, therefore, available to anyone with an internet connection.

According to Wikipedia, the Private Education Assistance Committee (PEAC) is headed by the Secretary of Education as its chairman. PEAC is also composed of representatives from the National Economic and Development Authority (NEDA), Catholic Educational Association of the Philippines (CEAP); Association of Christian Schools, Colleges, and Universities (ACSCU) and the Philippine Association of Colleges and Universities (PACU).

The following information was collected from applicants:

Applicant’s Personal Data:

• Full name
• Learner Reference Number (LRN)
• Date of birth
• Gender
• City/Municipality and Province of birth
• Citizenship/Nationality
• Home address and contact information (mobile phone, landline number, email address)
• Junior High School enrolled in (including address and school fees)
• If applicable, whether the applicant has received financial assistance from the school

Applicant’s Family Data:

• Father/Mother/Guardian’s name
• Source/s of income
• Gross monthly income
• Proof of financial capacity
• Sibling/s name and age
• Properties owned (vehicle, real estate, house)
• If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity

Potential Risks of the Exposure

Tax filings and income declarations are submitted by students' families as part of the application process. This included sensitive financial information, such as income statements and details regarding household earnings. Exposing how much an individual earns and where they are employed could hypothetically put them at risk of financial fraud, phishing attempts, or identity theft. In this case, it could lead to students and their families’ potential monetary loss.

In the wrong hands, Personally Identifiable Information such as names, addresses, contact details, and date of birth increases the potential risk of identity theft and impersonation. The breach exposed personal identifiers critical for identity verification. The students' profile pictures, uploaded during the application process for identification purposes also pose a potential privacy violation. Children's personal data is particularly sensitive, presenting a lifelong risk due to its vulnerability to future exploitation. Protecting children's data is crucial as it safeguards their privacy, prevents potential harm, and helps establish a secure foundation for their future digital interactions and identities.

This incident serves as a crucial wake-up call for the government bodies in the Philippines to prioritize robust cybersecurity measures and ensure sensitive data is protected. In April of 2023, I discovered 1.2 million documents connected to Philippine police agencies that were publicly exposed. This finding of student and family data yet again highlights the necessity of continual risk assessments, regular security audits, and staying aware of the ever evolving cyber threats to safeguard sensitive data. I highly recommend that both private and government organizations implement standard cybersecurity practices and take proactive measures to prevent and mitigate data breaches or unauthorized access — especially agencies that collect and store sensitive information of students and other individuals.

It is not clear exactly who owned and managed the database containing the personal data of thousands of citizens and their children. The name of the database indicated that it was intended for OVAP file storage. I imply no wrongdoing by the DepEd or OVAP and do not claim that the exposed documents pose an imminent risk. As I mentioned above, only an internal audit could identify if anyone else has accessed the exposed data. As an ethical security researcher, I never download or extract the data I discover. I publish my findings and provide hypothetical real-world risks of how exposed data could be exploited to increase cybersecurity awareness and contribute to a safer digital space.