SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Unauthorized Access
MediumResolved

University of the East (UE)

The University of the East reported unauthorized access to personal data of 1,572 Senior High School students stored in the database of the UE College of Computer Studies and Systems Research and Development unit.

April 17, 2019Manila, National Capital Region1,572 records affected

Key Facts

Date of Incident
April 17, 2019
Date Discovered
April 17, 2019
Records Affected
1,572
Source
National Privacy Commission
Data Types Exposed
Student personal dataSenior high school student records
Response / Action Taken

NPC case opened and closed after UE demonstrated compliance. Security measures implemented.

What Happened

On April 17, 2019, the University of the East (UE) notified the National Privacy Commission about unauthorized access to personal data stored in the database of the Research and Development unit of the UE College of Computer Studies and Systems.

The breach involved personal data of 1,572 Senior High School students.

How This Attack Works

This breach occurred in a Research and Development database within the College of Computer Studies and Systems. R&D databases are particularly vulnerable because they often contain real student data used for testing or research purposes, but lack the security controls applied to production systems. Common vulnerabilities include:

  • Weak or default database credentials
  • No network-level access restrictions (database accessible from any campus computer)
  • Lack of encryption for stored personal data
  • No audit logging to detect unauthorized access

NPC Investigation

The NPC investigated the case under Case CID BN 19-067. The Commission reviewed UE's compliance with breach notification requirements and the security measures implemented after the incident. The NPC eventually closed the case after UE demonstrated compliance with the Data Privacy Act's requirements.

How to Prevent This

  1. 1.Never use real student data in R&D or test environments — use anonymized or synthetic data for research and development. Tools like Faker can generate realistic but fake student records
  2. 2.Apply the same security controls to all databases containing personal data — R&D, staging, and test databases need the same access controls, encryption, and monitoring as production systems
  3. 3.Implement role-based access control (RBAC) — restrict database access to only those who need it, with different permission levels for read-only vs. write access
  4. 4.Encrypt personal data at rest — use database-level or column-level encryption so data is unreadable even if the database is accessed without authorization
  5. 5.Enable database audit logging — track who accesses what data and when, so unauthorized access is detected quickly
  6. 6.Report breaches to the NPC within 72 hours — the Data Privacy Act requires prompt notification. Cooperating with the NPC, as UE did, leads to faster case resolution
  7. 7.Conduct data inventory — know where all copies of student personal data exist across your institution, including research labs, development servers, and shared drives

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    National Privacy Commission — NPC Resolution: In re University of the East (CID-BN-19-067) — case closed Oct 22, 2020
  2. [2]
    GitHub (ajdumanhug/gothacked) — Registry of Philippine school hacking incidents — UE also listed as breached June 19, 2020 by 'InFamouz'
UENPC casesenior high schoolManiladata privacy act

Related Incidents

High

Philippine Universities — Canvas LMS Breach

May 6, 2026

High

De La Salle University (DLSU)

October 9, 2023

High

De La Salle University (DLSU) — 2020 Data Leak

June 28, 2020

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources