As reported by vpnMentor earlier this week, cybersecurity researcher Jeremiah Fowler discovered a non-password protected cloud storage database involving Filipino students and parents that contained 210,020 records, with a total size of 153.76 gigabytes.
According to Fowler, the database was available to anyone with an Internet connection. It was unclear who owned and managed the database, and how long it was exposed online.
Research by Fowler indicated that the database was connected with the Online Voucher Application (OVAP) system of the Private Education Assistance Committee (PEAC) of the Department of Education (DepEd).
The PEAC is a national subsidy program aimed at extending financial support to private schools. The OVAP is a platform developed for students seeking financial aid.
Fowler outlined how the database contained personally identifiable information (PII) and highly sensitive documents which included tax filings, certificates of employment, financial assistance, voucher applications, parent/guardian consent forms, local government certifications, and other notarized and official documents, as well as ID photos of students.
The following data was collected from applicants:
Personal data:
- Full name
- Learner Reference Number (LRN)
- Date of birth
- Gender
- City/Municipality and Province of birth
- Citizenship/Nationality
- Home address and contact information (mobile phone, landline number, email address)
- Junior High School enrolled in (including address and school fees)
- If applicable, whether the applicant has received financial assistance from the school
Family data
- Father/Mother/Guardian’s name
- Source/s of income
- Gross monthly income
- Proof of financial capacity
- Sibling/s name and age
- Properties owned (vehicle, real estate, house)
- If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity
The data that was exposed is highly sensitive, especially when combined, as they open the database subjects to scams, financial fraud, identity theft, phishing attempts, harassment, and potential physical harm. Its exposure over the Internet unsecured was a serious security lapse.
Fowler immediately sent a responsible disclosure notice to DepEd and the National Privacy Commission (NPC) about the database, and the NPC shortly replied that they had secured it and was investigating further.
Read Fowler’s full report at vpnMentor here.
