Back to Breach Tracker
Data Exposure
CriticalResolved

DepEd Online Voucher Application Program (OVAP)

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected cloud database containing 210,020 records (153.76 GB) from DepEd's Online Voucher Application Program, exposing sensitive student and parent data.

February 20, 2024Nationwide, National210,020 records affected

Key Facts

Date of Incident
February 20, 2024
Date Discovered
January 15, 2024
Records Affected
210,020
153.76 GB total
Source
vpnMentor / Jeremiah Fowler
Data Types Exposed
Student namesTax filingsVoucher applicationsConsent formsGovernment certificationsProfile photos of studentsCertificates of employment
Response / Action Taken

NPC confirmed database was secured after responsible disclosure. Further investigation commenced.

What Happened

Cybersecurity researcher Jeremiah Fowler, working with vpnMentor, discovered a non-password-protected cloud database containing 153.76 gigabytes of data covering 210,020 records. The database was associated with the Online Voucher Application Program (OVAP), a digital platform developed by the Department of Education (DepEd) and the Private Education Assistance Committee (PEAC).

The OVAP platform allows eligible senior high school students to apply for vouchers to cover the costs of education in private institutions. Students and parents submit applications and required documents electronically through the platform.

Data Exposed

The exposed database contained highly sensitive personal information including:

  • Tax filings and financial records
  • Voucher applications with personal details
  • Consent forms signed by parents
  • Government certifications and certificates of employment
  • Death certificates and other official documents
  • Profile photos (image files) of school children
  • Student and parent personal identifiable information (PII)

Impact

Fowler warned that exposing how much an individual earns and where they are employed could put them at risk of financial fraud, phishing attempts, or identity theft. The exposure of children's photographs alongside their personal information is particularly concerning.

The database was stored without password protection and was accessible to anyone with an internet connection.

Response

Fowler initiated a responsible disclosure notice to both DepEd and the National Privacy Commission (NPC). The NPC responded swiftly, confirming that they secured the compromised database and commenced further investigations.

However, critical details remain unclear, including the ownership and management of the database, the duration of exposure, and whether unauthorized access occurred before discovery.

How This Attack Works

This was a misconfigured cloud storage incident. The database was deployed without any authentication — no password, no access key, no firewall rules. Anyone with the URL could access all 210,020 records. Cloud misconfigurations like this are one of the most common causes of data exposure globally.

How to Prevent This

  1. 1.Enable authentication on all databases — never deploy a cloud database without requiring login credentials, even in development or staging environments
  2. 2.Use cloud security posture management (CSPM) tools — services like AWS Config, Azure Security Center, or open-source tools like ScoutSuite can automatically detect misconfigured storage buckets and databases
  3. 3.Restrict network access — configure firewalls and security groups so databases are only accessible from authorized IP addresses or VPNs, never from the open internet
  4. 4.Enable access logging — turn on audit logs for all database access so you can detect unauthorized access quickly
  5. 5.Apply data minimization — do not collect sensitive documents like tax filings, death certificates, or children's photos unless absolutely necessary for the program
  6. 6.Conduct regular security audits — schedule quarterly reviews of all cloud resources to check for misconfigurations
  7. 7.Require vendor security assessments — if a third-party platform handles student data, require them to demonstrate SOC 2 compliance or equivalent security certifications

Sources & References

  1. [1]
    vpnMentor Original report by Jeremiah Fowler: Over 200k records exposed in OVAP portal breach (Feb 20, 2024)
  2. [2]
    Rappler Over 200,000 records of students, parents exposed in unsecured DepEd database
  3. [3]
    Inquirer.net Over 200,000 student and parent data exposed in PH education platform
  4. [4]
    Bitdefender Personal info of over 200,000 Filipino students and their families gets exposed online
  5. [5]
    iTnews Asia Philippine education ministry hit by data leak exposing 210,020 records
  6. [6]
    EDUtech Talks Vulnerability exposes 210,000 records of Philippines' education ministry
  7. [7]
    Straits Times Philippine education ministry hit by data leak involving over 210,000 school and tax records
  8. [8]
    Newsbytes PH Unsecured DepEd cloud database of students, parents exposed
DepEdOVAPcloud databasedata exposureNPCvpnMentor