Back to Breach Tracker
Unauthorized Access
MediumResolved

University of the East (UE)

The University of the East reported unauthorized access to personal data of 1,572 Senior High School students stored in the database of the UE College of Computer Studies and Systems Research and Development unit.

April 17, 2019Manila, NCR1,572 records affected

Key Facts

Date of Incident
April 17, 2019
Date Discovered
April 17, 2019
Records Affected
1,572
Source
National Privacy Commission
Data Types Exposed
Student personal dataSenior high school student records
Response / Action Taken

NPC case opened and closed after UE demonstrated compliance. Security measures implemented.

What Happened

On April 17, 2019, the University of the East (UE) notified the National Privacy Commission about unauthorized access to personal data stored in the database of the Research and Development unit of the UE College of Computer Studies and Systems.

The breach involved personal data of 1,572 Senior High School students.

How This Attack Works

This breach occurred in a Research and Development database within the College of Computer Studies and Systems. R&D databases are particularly vulnerable because they often contain real student data used for testing or research purposes, but lack the security controls applied to production systems. Common vulnerabilities include:

  • Weak or default database credentials
  • No network-level access restrictions (database accessible from any campus computer)
  • Lack of encryption for stored personal data
  • No audit logging to detect unauthorized access

NPC Investigation

The NPC investigated the case under Case CID BN 19-067. The Commission reviewed UE's compliance with breach notification requirements and the security measures implemented after the incident. The NPC eventually closed the case after UE demonstrated compliance with the Data Privacy Act's requirements.

How to Prevent This

  1. 1.Never use real student data in R&D or test environments — use anonymized or synthetic data for research and development. Tools like Faker can generate realistic but fake student records
  2. 2.Apply the same security controls to all databases containing personal data — R&D, staging, and test databases need the same access controls, encryption, and monitoring as production systems
  3. 3.Implement role-based access control (RBAC) — restrict database access to only those who need it, with different permission levels for read-only vs. write access
  4. 4.Encrypt personal data at rest — use database-level or column-level encryption so data is unreadable even if the database is accessed without authorization
  5. 5.Enable database audit logging — track who accesses what data and when, so unauthorized access is detected quickly
  6. 6.Report breaches to the NPC within 72 hours — the Data Privacy Act requires prompt notification. Cooperating with the NPC, as UE did, leads to faster case resolution
  7. 7.Conduct data inventory — know where all copies of student personal data exist across your institution, including research labs, development servers, and shared drives

Sources & References

  1. [1]
    National Privacy Commission NPC Resolution: In re University of the East (CID-BN-19-067) — case closed Oct 22, 2020
  2. [2]
    GitHub (ajdumanhug/gothacked) Registry of Philippine school hacking incidents — UE also listed as breached June 19, 2020 by 'InFamouz'
UENPC casesenior high schoolManiladata privacy act