SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Data Exposure
HighConfirmed

Seven Schools, Institutions, and LGUs (NPC Investigation)

The National Privacy Commission investigated breaches affecting seven schools, institutions, and local government units after digital investigators found exposed databases containing personal information of at least 2,000 individuals, including passwords.

January 1, 2022Nationwide, National2,000 records affected

Key Facts

Date of Incident
January 1, 2022
Date Discovered
January 1, 2022
Records Affected
2,000
Source
National Privacy Commission (NPC)
Data Types Exposed
NamesAddressesPhone numbersEmail addressesPasswords
Response / Action Taken

NPC summoned officials from all seven organizations. Sanctions pending based on level of negligence. Privacy Commissioner Raymund Liboro issued public statements about the failures.

What Happened

The National Privacy Commission (NPC) launched an investigation into multiple simultaneous data breaches affecting seven schools, institutions, and local government units (LGUs) across the Philippines. NPC digital investigators determined that each of the exposed databases contained sensitive personal information that could be used to perpetuate identity fraud.

The combined number of exposed records involved at least 2,000 individual data subjects.

Data Exposed

The compromised databases contained:

  • Full names of data subjects
  • Home addresses
  • Phone numbers
  • Email addresses
  • Passwords (in some instances, stored in plaintext or weakly hashed formats)

The exposure of passwords alongside other personal information significantly increases the risk of identity theft and account takeover attacks.

Failure to Notify

Critically, none of the seven affected organizations issued data breach notifications as required under the Data Privacy Act of 2012 (Republic Act No. 10173). This failure to notify is itself a violation of the law.

Privacy Commissioner Raymund Liboro stated: "PICs [Personal Information Controllers] are required to employ organizational, technical and physical measures to protect personal data. This includes the duty to inform data subjects and this Commission if there is a serious data breach."

NPC Response

The NPC summoned the management and officials of all seven organizations to explain:

  1. 1.Why they failed to notify the NPC within 72 hours of discovering the breach (as required by law)
  2. 2.Why they failed to notify the affected data subjects
  3. 3.What security measures were in place to protect personal data

The NPC stated that sanctions would depend on the level of negligence demonstrated by each organization regarding their duty to protect personal data.

Why This Breach Matters

  • Systemic failure — seven organizations simultaneously failed to comply with the Data Privacy Act, suggesting widespread lack of awareness of data protection obligations
  • Passwords exposed — the storage and exposure of passwords indicates serious security deficiencies in how these organizations handled authentication data
  • No self-reporting — none of the organizations detected or reported the breaches on their own, raising questions about their security monitoring capabilities
  • Schools as data controllers — educational institutions hold sensitive personal data of students and staff, making them subject to the same data protection requirements as any other organization

Lessons for Schools

  1. 1.Know your obligations under the Data Privacy Act — all organizations that process personal data must register with the NPC and have a Data Protection Officer
  2. 2.Report breaches within 72 hours — failure to notify the NPC and affected individuals can result in additional sanctions
  3. 3.Never store passwords in plaintext — use strong, salted hashing algorithms (bcrypt, Argon2) for all password storage
  4. 4.Conduct regular security audits — proactive scanning would have identified these exposed databases before attackers found them
  5. 5.Implement access controls — databases containing personal information should never be accessible without authentication

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    NPC Official Statement — NPC investigates multiple government website breach
  2. [2]
    Philippine News Agency — NPC investigates data breach of various government websites
NPCData Privacy ActgovernmentschoolsLGUpasswordsdata exposurecompliance failure

Related Incidents

Critical

DepEd Online Voucher Application Program (OVAP)

February 20, 2024

High

A state university in Metro Manila

July 4, 2026

High

Philippine Universities — Canvas LMS Breach

May 6, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources