A cyber-security researcher has identified a serious vulnerability that exposed more than 200,000 records of the Philippine education ministry in a potential data leak or hacking.
Jeremiah Fowler, a researcher at cyber-security firm vpnMentor, said in a report on February 20 that he found a non-password-protected database containing 153.76 gigabytes of data covering 210,020 records, belonging to an online platform used by senior high school students applying for government vouchers.
The Philippines’ Department of Education (DepEd) and the Private Education Assistance Committee (PEAC) established this digital platform as a tool for eligible students who seek financial aid.
Fowler said he came across Personal Identifiable Information (PII) including tax filings, voucher applications, consent forms, government certifications, certificates of employment, and death certificates among other official documents.
He had also found tax records and application folders that exposed image files (profile photos) of school children.
“The exposure of… (these) documents is a serious potential security lapse, as they were stored without password protection and, therefore, available to anyone with an Internet connection,” Fowler said.
He added that it was unclear how long the records were exposed or if anyone else could have gained access to the database.
“Only an internal forensic audit would be able to identify unauthorised access or potential malicious activity,” he said.
Fowler had informed the data leak in a disclosure notice to the DepEd and the National Privacy Commission (NPC) after which the vulnerability was patched.
This is the second time the education ministry’s database has reportedly been compromised since the start of the year.
More recently on February 14, Deep Web Konek, a community of cyber-security advocates reported a significant breach, revealing vulnerabilities in DepEd's data security infrastructure.
The breach, estimated to have compromised more than 750GB of sensitive information, represents a critical lapse in cybersecurity protocols.
This had extended to include Google Email Accounts from Google Workspace, amplifying the scope and severity of the incident.
DepEd said it is coordinating with the Department of Information and Communications Technology (DICT) on the data leak.
