153 GB of Student and Family Data leaked

Another day, another misconfigured database jeopardizes the online privacy and physical security of hundreds of thousands of children and families.

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing over 200,000 records, including personally identifiable information (PII) of students and parents. 

According to Fowler’s findings, detailed in a blog post for VPNMentor, there were over 210,020 records or 153.76 GB of data in the unprotected database. It was associated with the Online Voucher Application (OVAP) created by the Department of Education and the Private Education Assistance Committee.

Fowler uncovered a vast collection of sensitive records, including children’s and family members’ full names, DOBs, home addresses, phone numbers, tax records, as well as unredacted images of children. 

The database also contained official documents such as tax filings, voucher applications, guardian/parent consent forms, financial assistance, employee certificates, local government certificates, and death certificates, which also hold personal data. For instance, tax records typically contain full names, addresses, phone numbers, employers, and tax identification numbers. A concerning aspect of the breach is that the application folders contained child profile photos.

A sample of what data was exposed (Credit: VPNmentor)

The National Privacy Commission (NPC) of the Philippines has since secured the database and is investigating the matter further. It is unclear who owns and manages the database, how long the records were exposed, or if anyone else may have gained access.

The Philippines’ Department of Education created the OVAP platform for eligible students seeking financial aid, allowing them to apply for vouchers for Senior High School education. However, the platform’s lack of password protection raises potential security concerns.

However, the data leak has potentially exposed students and parents to a wide range of online threats. Students’ families submit tax filings and income declarations during application processes, which may expose sensitive financial information, potentially exposing them to financial fraud, phishing attempts, or identity theft.

Additionally, this could lead to monetary loss for students and their families. Additionally, PII, including children/minors’ data, can be compromised, posing a lifelong risk to their privacy and digital identities.

Governments and relevant departments must prioritize strong cybersecurity measures and protect the sensitive data of their citizens when creating such portals. Regular risk assessments and security audits are needed to secure public data and prevent unauthorized actors from accessing it.