SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Data Exposure
CriticalResolved

DepEd Online Voucher Application Program (OVAP)

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected cloud database containing 210,020 records (153.76 GB) from DepEd's Online Voucher Application Program, exposing sensitive student and parent data.

February 20, 2024Nationwide, National210,020 records affected

Key Facts

Date of Incident
February 20, 2024
Date Discovered
January 15, 2024
Records Affected
210,020
153.76 GB total
Source
vpnMentor / Jeremiah Fowler
Data Types Exposed
Student namesTax filingsVoucher applicationsConsent formsGovernment certificationsProfile photos of studentsCertificates of employment
Response / Action Taken

NPC confirmed database was secured after responsible disclosure. Further investigation commenced.

What Happened

Cybersecurity researcher Jeremiah Fowler, working with vpnMentor, discovered a non-password-protected cloud database containing 153.76 gigabytes of data covering 210,020 records. The database was associated with the Online Voucher Application Program (OVAP), a digital platform developed by the Department of Education (DepEd) and the Private Education Assistance Committee (PEAC).

The OVAP platform allows eligible senior high school students to apply for vouchers to cover the costs of education in private institutions. Students and parents submit applications and required documents electronically through the platform.

Data Exposed

The exposed database contained highly sensitive personal information including:

  • Tax filings and financial records
  • Voucher applications with personal details
  • Consent forms signed by parents
  • Government certifications and certificates of employment
  • Death certificates and other official documents
  • Profile photos (image files) of school children
  • Student and parent personal identifiable information (PII)

Impact

Fowler warned that exposing how much an individual earns and where they are employed could put them at risk of financial fraud, phishing attempts, or identity theft. The exposure of children's photographs alongside their personal information is particularly concerning.

The database was stored without password protection and was accessible to anyone with an internet connection.

Response

Fowler initiated a responsible disclosure notice to both DepEd and the National Privacy Commission (NPC). The NPC responded swiftly, confirming that they secured the compromised database and commenced further investigations.

However, critical details remain unclear, including the ownership and management of the database, the duration of exposure, and whether unauthorized access occurred before discovery.

How This Attack Works

This was a misconfigured cloud storage incident. The database was deployed without any authentication — no password, no access key, no firewall rules. Anyone with the URL could access all 210,020 records. Cloud misconfigurations like this are one of the most common causes of data exposure globally.

How to Prevent This

  1. 1.Enable authentication on all databases — never deploy a cloud database without requiring login credentials, even in development or staging environments
  2. 2.Use cloud security posture management (CSPM) tools — services like AWS Config, Azure Security Center, or open-source tools like ScoutSuite can automatically detect misconfigured storage buckets and databases
  3. 3.Restrict network access — configure firewalls and security groups so databases are only accessible from authorized IP addresses or VPNs, never from the open internet
  4. 4.Enable access logging — turn on audit logs for all database access so you can detect unauthorized access quickly
  5. 5.Apply data minimization — do not collect sensitive documents like tax filings, death certificates, or children's photos unless absolutely necessary for the program
  6. 6.Conduct regular security audits — schedule quarterly reviews of all cloud resources to check for misconfigurations
  7. 7.Require vendor security assessments — if a third-party platform handles student data, require them to demonstrate SOC 2 compliance or equivalent security certifications

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    vpnMentor — Original report by Jeremiah Fowler: Over 200k records exposed in OVAP portal breach (Feb 20, 2024)
  2. [2]
    Rappler — Over 200,000 records of students, parents exposed in unsecured DepEd database
  3. [3]
    Inquirer.net — Over 200,000 student and parent data exposed in PH education platform
  4. [4]
    Bitdefender — Personal info of over 200,000 Filipino students and their families gets exposed online
  5. [5]
    iTnews Asia — Philippine education ministry hit by data leak exposing 210,020 records
  6. [6]
    EDUtech Talks — Vulnerability exposes 210,000 records of Philippines' education ministry
  7. [7]
    Straits Times — Philippine education ministry hit by data leak involving over 210,000 school and tax records
  8. [8]
    Newsbytes PH — Unsecured DepEd cloud database of students, parents exposed
  9. [9]
    HackRead — Unsecured database leaks Filipino student and family data
DepEdOVAPcloud databasedata exposureNPCvpnMentor

Related Incidents

High

Seven Schools, Institutions, and LGUs (NPC Investigation)

January 1, 2022

High

A state university in Metro Manila

July 4, 2026

High

Philippine Universities — Canvas LMS Breach

May 6, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources