Beyond individual users, UP offices themselves leaked data, including personally-identifiable data such as IDs, Form 5s, signatures, and student databases in the 5 TB worth of data available to all users of the university’s Google Workspace.
The Collegian found 3,527 counts of sensitive files that were searchable to any UP user with access to the Google Workspace as of April 15.
These become accessible when a user chooses to share a file with anyone with a UP mail and enables the “Can find in search results” option.
The Information Technology Development Center (ITDC) and the University Computer Center have previously attributed the leak to individual users unaware of the search option, in a report by Tinig ng Plaridel. But 6,230 leaked files, some of them sensitive, were attributed to emails of UP offices, per the Collegian’s count.
Some of the violations did come from student groups. In one case, the individual votes of a college-level student council election was made searchable to the entire workspace. Confidential files, non-disclosure and memorandum agreements, meeting minutes, and alumni databases were leaked by student organizations.
But many of the sensitive file incidents occurred due to UP offices prompting students or other users to submit files in a shared folder that was searchable to the entire Google Workspace. This was usually the case for the Form 5, ID, signature, medical certificate, personal data sheet, and E-2L form files. Survey, registration, and feedback forms from UP offices were also inadvertently leaked.
Data Privacy
In processing personal data, UP offices are supposedly bound to the UP Privacy Manual, which states that shared digital files must be encrypted through password-protected ZIP files.
They are also bound by the principle of proportionality under the Data Privacy Law, which states that personal data should only be asked for if it is the only reasonable option. This applies, for example, when offices ask students for proofs of enrollment such as IDs and Form 5s.
“I keep on telling our offices to please rethink asking for Form 5s of students. Bakit hindi kaya tayo ang mag-usap-usap? Tsaka trabaho pa yun for the students. That’s also very risky—there’s so much information that’s not needed, especially for scholarships,” Marcia Ruth Gabriela Fernandez, data protection officer of the UP System, told the Collegian.
The Data Protection Office does regularly consult with UP offices on how they process data, in the form of privacy impact assessments. But Fernandez only conducts this with offices handling systemwide processes, such as admissions and registration systems.
While there have been no data breach incidents involving systemwide processes, non-systemwide processes such as scholarship processing and job hiring are left under the jurisdiction of the data protection officers of individual campuses. Fernandez does, however, conduct trainings with individual offices at their request.
Data protection officers must be involved in responding to any possible data breaches, according to UP’s privacy manual. But in the case of digital data breaches, the manual gives the responsibility to “serve as head of the security incident or breach response team” to the director of the ITDC, or the manager of the digital service in question.
Data Breach
The university’s Google Workspace is managed by the ITDC. Since Tinig ng Plaridel’s first report, a compromised mailing list incident, and a subsequent report by SINAG on a Google Groups data breach, the office has repeatedly released email blasts directing individual users to secure their files and accounts.
They have also held several public webinars on the use of the Google Suite from 2020 to 2024, the office told SINAG. Only one of those trainings, however, was directed to a UP office.
The effectiveness of these webinars also remains questionable, as the amount of searchable files has increased year after year, peaking last year.
But beyond information drives, it remains to be seen whether there will be changes to data processes in the university, with the fragmented nature of the data protection and IT offices of each campus.
Data Governance
The unification of these digital processes is one of UP President Angelo Jimenez’s flagship programs. Through ushering the university’s digital transformation, he wants to “provide a cohesive overall framework that ensures consistency, alignment, and synergy across all our digital transformation initiatives,” according to a press release by UP.
The creation of the system’s newest office, the Office of the Vice President for Digital Transformation (OVPDx), was ratified by the Board of Regents on Jan. 30, with philosophy professor Peter Sy as vice president.
Both the ITDC and the Data Governance Office, previously under the Office of the Vice President for Development, were moved to OVPDx. The board meeting’s minutes showed regents concerned with the e-UP project and enrollment systems, among others.
But it remains unclear what OVPDx’s responsibilities are in terms of cybersecurity and in dealing with data breaches, such as those reported in April. Staff from the ITDC told the Collegian that there is no dedicated cybersecurity division within the office, which would have been involved in dealing with data breach and linkjacking incidents.
The Collegian disclosed the data breach to the system data protection offices, ITDC and OVPDx, on April 23, April 25, and April 29 respectively.
“The OVPDx assures the UP community that cybersecurity and data privacy are our paramount concerns. These are processes that necessitate collaborative and effective IT governance, cybersecurity capacity building, and effective community engagement,” OVPDx said in a response letter to the Collegian May 6. ●
First published in the May 7, 2025 print edition of the Collegian.
This is Part 1 of the Collegian’s report on UP cybersecurity. You may read the second part on linkjacking incidents in the university here.
