2 min read

Personal info of over 200,000 Filipino students and their families gets exposed online


February 20, 2024

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Personal info of over 200,000 Filipino students and their families gets exposed online

There’s no week without a breach or leaky database.

Jeremiah Fowler, a well-known cybersecurity researcher, has stumbled upon an exposed database exposing over 153 GB of personally identifiable information (PII) of students and parents in the Philippines.

In total, over 200,000 records were found in a non-password-protected cloud database linked to the Online Voucher Application (OVAP), a platform set up by the Department of Education (DepEd) and the Private Education Assistance Committee (PEAC) in the Philippines.

According to Fowler’s report to vpnMentor, it remains unclear who managed the database and whether any malicious party had access to it prior to the sensitive data listed in the exposed files.

The researcher did, however, provide an extensive list of data he was able to peruse.

“Inside the database I saw numerous documents that contained PII, including tax filings, voucher applications, parent or guardian consent forms, financial assistance, local government certifications, certificates of employment, death certificates, and other notarized or official documents,” Fowler explained.

“Tax records are considered highly sensitive as they contain the full name of the person who’s filing and their children, as well as their home address, phone number, employer, and tax identification numbers. The application folders also contained image files (profile photos) of the children,” he said.

The full list of exposed PII can be seen below:

Applicant’s personal information:

  • Full names, gender and date of birth
  • Learner Reference Number (LRN) and place of birth
  • Nationality and citizenship
  • Contact information including email address, home address, landline number and mobile phone number
  • Name of the Junior High School the student enrolled in alongside the address and any applicable school fees
  • Financial assistance information (where applicable)

Data belonging to the applicant’s family:

  • Parent names
  • Source of income, gross monthly income and proof of financial capacity
  • Siblings’ names and ages
  • Properties owned (vehicle, real estate, house)
  • Supporting documents indicating source/s of income, gross monthly income of any other person helping send the child to school, proof of financial capacity (other than parent or guardian)

While the database was secured shortly after Fowler sent a responsible disclosure notice to the DepEd and the Philippines’ National Privacy Commission (NPC), Fowler also mentioned that the exposure poses a variety of potential risks for both students and their families.

“Exposing how much an individual earns and where they are employed could hypothetically put them at risk of financial fraud, phishing attempts, or identity theft,” Fowler said. “In this case, it could lead to students and their families’ potential monetary loss. In the wrong hands, Personally Identifiable Information such as names, addresses, contact details, and date of birth increases the potential risk of identity theft and impersonation.”

Worried about data breaches and leaks?

With Bitdefender’s Digital Identity Protection (DIP) service, you can discover and curate the extent of your digital identity to make more privacy-focused decisions to keep your identity and finances safe.

Our dedicated digital identity protection service helps you immediately respond to data breaches and leaks of personally identifiable information with 24/7 monitoring and provides easy 1-click action items that enable you to secure your accounts and data.




Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.

View all posts

You might also like