A cyber-security researcher has found a vulnerability that exposed over 210,000 records of the Philippine education ministry to possible hacking and online scams.
Mr Jeremiah Fowler, a researcher at cyber-security firm vpnMentor, said in a report on Feb 20 that he found a gap that gave nearly unencumbered access to an online platform used by senior high school students applying for government vouchers to cover their tuition costs.
The cloud-stored database included some 154 gigabytes worth of tax filings, consent forms, government certifications, and employment and death certificates.
He said the tax records were particularly vulnerable, as these had the full names of those filing, as well as their home addresses, phone numbers, names of their employers and tax identification numbers.
The online application forms, meanwhile, contained the applicants’ full name, birthday, gender, address and contact information, as well as their parents’ sources of income and properties owned.
The application folders also contained photos of the students applying for vouchers.
“The exposure of… (these) documents is a serious potential security lapse, as they were stored without password protection and, therefore, available to anyone with an Internet connection,” said Mr Fowler.
The data could be used in phishing attempts and identity theft, he added.
The Philippines’ National Privacy Commission told The Straits Times that it was informed by Mr Fowler of the breach in January, and that “the vulnerability has been patched”.
But Mr Fowler said it was unclear how long the records were exposed or if anyone else could have gained access to the database.
“Only an internal forensic audit would be able to identify unauthorised access or potential malicious activity,” he said.
This was the second time the education ministry’s database has reportedly been compromised in 2024.
On Feb 14, Deep Web Konek – a community of cyber-security advocates – reported on Facebook that it unearthed a data breach involving 750GB worth of banking and personal records of students and teachers under the education ministry’s regional office south of the capital Manila.
The ministry said it ordered its field offices to run diagnostics and check if its servers had been hacked.
Earlier in February, hackers operating in China attempted to break into websites and e-mail systems of President Ferdinand Marcos Jr and several government agencies, including one promoting maritime security.
The Philippines has been ranked as the second most vulnerable to cyber threats after Indonesia among countries in South-east Asia.
Cyber-security firm Surfshark said in a report in October that at least 124 million accounts in the Philippines have been compromised since 2004. Indonesia topped the list, with 144 million affected accounts.
“In Asia, 52 accounts are breached per 100 people on average. However, in the Philippines, this number goes up to 106 per 100 people,” Surfshark lead researcher Agneska Sablovskaja said.
In October 2023, hackers released a massive trove of data from servers of the Philippine Health Insurance Corporation (Philhealth) after the state health insurer had refused to pay a ransom of US$300,000 (S$403,000).
Philhealth then revealed that the personal information of its 36 million members – around a third of the Philippine population – might have been compromised.
Its servers were hacked because it did not have cyber protection software. Some 96 computers were affected, or about a 10th of the agency’s units in its headquarters in metropolitan Manila.
Shortly after that incident, the homepage of the Philippines’ House of Representatives was defaced with a drawing of a smiling troll face and had to be taken offline.
