DepEd is apparently a cybersecurity disaster

Ben Kritz

THIS is ordinarily not a topic I would concern myself with, but the near-complete lack of reporting on it, which, in this case, is a grave public disservice, warrants an exception.

On February 20, a cybersecurity researcher working with an organization called vpnMonitor discovered a large-scale breach in the cloud database for the Department of Education’s (DepEd) Online Voucher Application Program (OVAP), which it administers jointly with the Private Education Assistance Committee (PEAC). The researcher, Jeremiah Fowler, said the nonpassword database contained 210,020 records with a total size of about 154 gigabytes (GB). He said it was unclear who was responsible for the ownership and management of the database, who may have accessed it, or how long it may have been exposed.

In a press release from vpnMonitor, which was apparently ignored by every media outlet in the Philippines save one, Fowler said: “Inside the database, I saw numerous documents that contained PII (personally identifying information), including tax filings, voucher applications, parent or guardian consent forms, financial assistance, local government certifications, certificates of employment, death certificates, and other notarized or official documents.”

“Tax records are considered highly sensitive, as they contain the full name of the person who’s filing and their children, as well as their home address, phone number, employer, and tax identification numbers. The application folders also contained image files (profile photos) of the children,” he added.

Oh, that is just outstanding. Good job, DepEd. Way to fulfill your mandate to support the well-being of your students and their families.

Fowler goes on to explain that immediately on discovering the database — it is implied that it is just floating around on the internet for anyone to access for whatever purpose they might have — he promptly sent a responsible disclosure notice to the DepEd and the National Privacy Commission (NPC). To NPC’s credit, they apparently returned a prompt response, informing Fowler that they had secured the database and were initiating an investigation. The DepEd, apparently, did not deem the heads-up to be serious enough to acknowledge.

OVAP is an online facility developed by the DepEd to streamline the process of applications for financial aid, e.g., school vouchers, for eligible students. PEAC is a five-person committee that serves as the trustee for the Fund for Assistance to Private Education; its members include the Secretary of Education as chairman and representatives of the National Economic and Development Authority, Catholic Educational Association of the Philippines, Association of Christian Schools, Colleges and Universities, and Philippine Association of Colleges and Universities.

The organization that Fowler is associated with, vpnMonitor, is a consumer privacy and protection watchdog that primarily focuses on VPNs, or virtual private networks, a sort of internet within the internet that allows people to go online with a greater degree of anonymity. VPNs are useful, for example, when one is traveling in countries where online access and safety are questionable, such as China, or when one wants to virtually change location for services such as Netflix, or if one simply wants to shop online without having algorithms track search histories. The main service vpnMonitor provides is to analyze different VPNs for security, reliability and user-friendliness and provide recommendations for people trying to choose one of the many VPNs available.

Apart from the obvious frightening implications of a great deal of sensitive information being available to a world full of nefarious online actors — whether the NPC secured the database or not, the original mass of data is still out there — there are two other extremely disturbing things about this story.

First, as I noted already, there is almost a complete lack of reporting about it. The DepEd, of course, since it’s busy with stupider things such as needlessly tinkering with the school calendar, did not issue any sort of statement or advisory for the benefit of students and families who may have been affected by the breach. The NPC did not make a public statement, either, but they got a pass because primary responsibility for the sensitive data belongs with the DepEd anyway, and circumspection on the NPC’s part may better serve the needs of its investigation.

The Philippine news media, for its part, completely dropped the ball. As of Friday, the only report on the breach that can be found in the entire country is a story in the Davao-based Mindanao Times, which simply posted the press release from vpnMonitor in its entirety. I would like to think that the rest of the media simply missed it — which is still not a good excuse, given the gravity of the story — rather than intentionally ignored it because there is no question whether or not the report is true; the press release provides a number of screenshots (appropriately redacted for privacy, of course) of the information, documents and photos of the students that can be found in the stolen OVAP database online.

The second disturbing thing about this story is that it turns out that this latest breach is not actually the first or biggest data breach of the DepEd’s systems just this month. In searching for news reports about the OVAP breach — and finding none, as I explained — I found a different story from February 14, in which a massive 750-GB data breach had been reported, this one supposedly containing teachers’ and students’ personal information and banking information. The DepEd, in this case, at least, dismissively acknowledged that a report had been made, with a spokesman telling Philstar that it was trying to verify if a hack had indeed occurred.

While the current DepEd secretary is, of course, not personally tasked with maintaining IT system security, these alarming incidents occurring on her watch are not a good look. One might even form the opinion that, perhaps, she should spend less time ghoulishly using dead and wounded soldiers for photo ops like some kind of weird-looking Grim Reaper as part of what is apparently a six-year campaign for the presidency and more time keeping her own office in order. At a minimum, a heads-up about a potential personal security risk and some relevant guidance for students and families under that office’s care would definitely be in order.

[email protected]