We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Over 200k Records of Students and Parents in the Philippines Exposed in High School Voucher Program Portal Data Breach

Over 200k Records of Students and Parents in the Philippines Exposed in High School Voucher Program Portal Data Breach
Jeremiah Fowler Published on 20th February 2024 Cybersecurity researcher

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained more than 200,000 records, which included sensitive files containing PII of students and parents.

The non-password protected cloud storage database contained a total of 210,020 records with a size of 153.76 GB. Upon further research, the documents indicated they were associated with a program called the Online Voucher Application (OVAP). This is the digital platform established by the Philippines’ Department of Education (DepEd) and the Private Education Assistance Committee (PEAC). I immediately sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC) of the Philippines. I received a reply from the NPC shortly after, claiming that they had secured the database and were investigating the matter further. It is not clear who owned and managed the database. It is also unclear how long the records were exposed or if anyone else may have gained access to the database, potentially compromising a wealth of personal data belonging to the students and their families. Only an internal forensic audit would be able to identify unauthorized access or potential malicious activity.

Inside the database I saw numerous documents that contained PII, including tax filings, voucher applications, parent or guardian consent forms, financial assistance, local government certifications, certificates of employment, death certificates, and other notarized or official documents. Tax records are considered highly sensitive as they contain the full name of the person who’s filing and their children, as well as their home address, phone number, employer, and tax identification numbers. The application folders also contained image files (profile photos) of the children.

The Philippines’ Department of Education developed the OVAP platform as a tool for eligible students who seek financial aid. Using OVAP, they can apply for vouchers to cover the costs of Senior High School education in private institutions or participating non-public schools. The platform allows students or parents to submit their applications and the required documents electronically, making the process more accessible and convenient. However, the exposure of OVAP documents is a serious potential security lapse as they were stored without password protection and, therefore, available to anyone with an internet connection.

According to Wikipedia, the Private Education Assistance Committee (PEAC) is headed by the Secretary of Education as its chairman. PEAC is also composed of representatives from the National Economic and Development Authority (NEDA), Catholic Educational Association of the Philippines (CEAP); Association of Christian Schools, Colleges, and Universities (ACSCU) and the Philippine Association of Colleges and Universities (PACU).

The following information was collected from applicants:

Applicant’s Personal Data:

  • Full name
  • Learner Reference Number (LRN)
  • Date of birth
  • Gender
  • City/Municipality and Province of birth
  • Citizenship/Nationality
  • Home address and contact information (mobile phone, landline number, email address)
  • Junior High School enrolled in (including address and school fees)
  • If applicable, whether the applicant has received financial assistance from the school

Applicant’s Family Data:

  • Father/Mother/Guardian’s name
  • Source/s of income
  • Gross monthly income
  • Proof of financial capacity
  • Sibling/s name and age
  • Properties owned (vehicle, real estate, house)
  • If the child is sponsored by someone other than a parent or guardian: supporting documents indicating source/s of income, gross monthly income of the person helping send the child to school, proof of financial capacity

Potential Risks of the Exposure

Tax filings and income declarations are submitted by students' families as part of the application process. This included sensitive financial information, such as income statements and details regarding household earnings. Exposing how much an individual earns and where they are employed could hypothetically put them at risk of financial fraud, phishing attempts, or identity theft. In this case, it could lead to students and their families’ potential monetary loss.

In the wrong hands, Personally Identifiable Information such as names, addresses, contact details, and date of birth increases the potential risk of identity theft and impersonation. The breach exposed personal identifiers critical for identity verification. The students' profile pictures, uploaded during the application process for identification purposes also pose a potential privacy violation. Children's personal data is particularly sensitive, presenting a lifelong risk due to its vulnerability to future exploitation. Protecting children's data is crucial as it safeguards their privacy, prevents potential harm, and helps establish a secure foundation for their future digital interactions and identities.

This incident serves as a crucial wake-up call for the government bodies in the Philippines to prioritize robust cybersecurity measures and ensure sensitive data is protected. In April of 2023, I discovered 1.2 million documents connected to Philippine police agencies that were publicly exposed. This finding of student and family data yet again highlights the necessity of continual risk assessments, regular security audits, and staying aware of the ever evolving cyber threats to safeguard sensitive data. I highly recommend that both private and government organizations implement standard cybersecurity practices and take proactive measures to prevent and mitigate data breaches or unauthorized access — especially agencies that collect and store sensitive information of students and other individuals.

It is not clear exactly who owned and managed the database containing the personal data of thousands of citizens and their children. The name of the database indicated that it was intended for OVAP file storage. I imply no wrongdoing by the DepEd or OVAP and do not claim that the exposed documents pose an imminent risk. As I mentioned above, only an internal audit could identify if anyone else has accessed the exposed data. As an ethical security researcher, I never download or extract the data I discover. I publish my findings and provide hypothetical real-world risks of how exposed data could be exploited to increase cybersecurity awareness and contribute to a safer digital space.

About the Author

Jeremiah, an experienced cybersecurity researcher at vpnMentor and co-founder of Security Discovery, is renowned for uncovering some of the world’s most significant data breaches. Together with the vpnMentor team, he has been instrumental in securing the personal data of millions globally.

His journey in cybersecurity, sparked by his interest in a data breach at a former company, transformed from a passion into a recognized expertise, establishing him as a respected thought leader in the industry.