DepEd Tayo Lucena City

What Happened

On March 4, 2026, a threat actor using the handle Ch4nc3ll0rx 1337 publicly announced the defacement and data breach of the DepEd Tayo Lucena City website at depedlucenadms.com.

The attacker posted claims on Facebook at 8:22 PM, stating they had previously warned DepEd Lucena about vulnerabilities but received no response. The attacker stated: "Since I got no response to my warning at all. You deserve to suffer like your brothers." — referencing prior attacks on other DepEd division websites.

The defacement page displayed the message "DEPED LUCENA DATA LEAK — PAWNED BY Ch4nc3ll0rX_1337" along with claims of data exfiltration, backdoor deployment, and full access to the database.

What Was Compromised

The attacker claimed to have exfiltrated and made available:

• Partial website defacement — a defacement image was placed on the server at depedlucenadms.com
• 3,000+ lines of database dump — posted to pasteview.com with password protection (password: "LucenaCutie")
• Full database access — the attacker claimed to have gained access due to "EGO and NEGLIGENCE" by the site administrators
• Backdoors deployed — the defacement page explicitly stated "BACKDOORS DEPLOYED" and "ACCESS GRANTED," indicating persistent access was established

The defacement page also listed collaborators and greeted affiliated hacktivist groups: Anonymous Philippines, Lulzsec Pilipinas, Pinoy Vendetta, Nullsec Philippines, and Fawkes Filipinas.

Connection to Other Attacks

This attack is part of a broader campaign by Ch4nc3ll0rx 1337, the same threat actor responsible for the [DepEd Roxas City defacement](/breaches/deped-roxas-city-defacement-2026) on March 8, 2026. The attacker's reference to Lucena "suffering like your brothers" confirms a coordinated targeting of multiple DepEd division offices.

The attacker also published a proof-of-concept (POC) write-up on Medium documenting the data leak, indicating a desire for public attention and pressure on DepEd to address security vulnerabilities.

Why This Breach Is Concerning

• Ignored warnings — the attacker claims to have previously warned DepEd Lucena about vulnerabilities, which were disregarded, indicating a failure in vulnerability disclosure handling
• Multiple vulnerabilities — the attacker stated: "There's not only one vulnerability that I've found. It's a lot," suggesting systemic security issues
• Backdoor persistence — explicit claims of deployed backdoors mean the attacker may retain access even after the defacement is cleaned up
• Database exposure — 3,000+ lines of database content could contain student records, staff information, and administrative data
• Password-protected dump — the use of a password ("LucenaCutie") for the data dump suggests the attacker is controlling distribution while still making the data accessible
• Government education target — DepEd division offices handle sensitive data for students, teachers, and administrative staff across entire city divisions

How This Type of Attack Works

Website defacement with data exfiltration typically involves:

1. 1.Identifying vulnerabilities in the web application or server — the attacker claimed to have found multiple vulnerabilities
2. 2.Attempting responsible disclosure — in this case, the attacker claims warnings were sent but ignored
3. 3.Exploiting vulnerabilities to gain database access and server-level control
4. 4.Exfiltrating data — dumping database contents and making them available publicly
5. 5.Deploying backdoors — establishing persistent access for future re-entry
6. 6.Defacing the website — replacing or modifying pages with the attacker's message as public proof
7. 7.Publishing proof on social media and paste sites to pressure the target organization

Recommended Actions

1. 1.Take the compromised server offline immediately — the server should be considered fully compromised given the claims of backdoor deployment
2. 2.Do not simply restore the website — the backdoors must be identified and removed before bringing any services back online; a full rebuild on clean infrastructure is recommended
3. 3.Analyze the leaked database dump to determine what sensitive data was exposed (student PII, staff records, credentials, etc.)
4. 4.Reset all credentials — admin passwords, database passwords, FTP/SSH keys, CMS credentials, and any API tokens associated with the server
5. 5.Notify the NPC within 72 hours if personal data was confirmed in the database dumps, as required under the Data Privacy Act of 2012
6. 6.Notify affected individuals (students, parents, teachers, staff) if their personal data was in the compromised databases
7. 7.Conduct a full security audit of all DepEd Lucena City web properties and related infrastructure
8. 8.Establish a vulnerability disclosure process — implement a clear channel for security researchers and others to report vulnerabilities, and respond to reports promptly
9. 9.Implement web application firewall (WAF) and intrusion detection systems
10. 10.Coordinate with DepEd Central Office on a unified security response, especially given the pattern of attacks against multiple division offices

Context

DepEd Tayo Lucena City is the Department of Education division office for Lucena City in Quezon province, CALABARZON region. Division offices manage educational programs, student data, and teacher records for their respective areas.

This breach is part of a pattern of attacks by Ch4nc3ll0rx 1337 against DepEd division offices. The attacker has demonstrated hacktivist motivations and has been linked to groups including Nullsec Philippines. The attacker maintains a presence on Facebook and Telegram (t.me/nullsechackers).