SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
SchoolBreach.org Learn

School Cybersecurity Education

Free guides, checklists, and templates to help Philippine schools protect student data and comply with the Data Privacy Act.

5
Guides
2
Checklists
17
Explainers
2
Templates

“The Philippines needs 180,000 more cybersecurity professionals.”

— ISC² Cybersecurity Workforce Study

Guides

Step-by-step guides for school cybersecurity

guide10 min read

Data Privacy Act 101 for Philippine Schools

A plain-English guide to the Data Privacy Act of 2012 and what it means for your school. No legal jargon, just what you need to know.

DPARA 10173NPC
guide8 min read

How to Choose Secure School Software

A guide to evaluating the security and suitability of school management software before trusting it with student data. Includes questions to ask and red flags to watch for.

vendor evaluationEdTechsoftware selection
guide8 min read

How to Set Up MFA for Your School (Google Workspace & Microsoft 365)

Step-by-step instructions for enabling multi-factor authentication on your school's Google Workspace or Microsoft 365 accounts.

MFA2FAGoogle Workspace
guide8 min read

Secure Equipment & Data Disposal for Philippine Schools

How to safely retire old computers, servers, and vendor contracts without leaving student data behind. Includes lessons from the PH Army data exposure incident.

disposaldecommissioninghardware
guide8 min read

How to Check If Your School's Data Is on the Dark Web

A step-by-step guide for school administrators to find out if their institution's data has been leaked — and what to do if it has.

breach checkdark webHIBP

Checklists

Actionable security checklists

checklist5 min read

10-Point School Cybersecurity Checklist

A printable, actionable checklist covering the 10 most critical cybersecurity measures every Philippine school should implement today.

checklistcybersecurityactionable
checklist6 min read

Vendor Security Assessment Checklist for Schools

A printable checklist for evaluating any software vendor or cloud service before trusting them with student data. Covers security, privacy, and contract requirements.

vendor assessmentthird-partyEdTech

Explainers

Understand threats and regulations

explainer8 min read

What To Do When Your School Gets Breached

A step-by-step response guide for school administrators dealing with a data breach. Covers the critical first 72 hours and beyond.

breach responseincident responseNPC
explainer7 min read

Common Attack Vectors in Philippine Schools

Based on tracked incidents, here are the most common ways Philippine schools get breached — and how to defend against each one.

attack vectorsthreatsphishing
explainer8 min read

Understanding Ransomware: A Guide for School Administrators

What ransomware is, how it reaches Philippine schools, and the concrete steps you can take to prevent it — and survive it if it hits.

ransomwaremalwarebackup
explainer5 min read

Sensitive Paths Exposed: What It Means and Why It Matters

When a school website accidentally exposes admin panels, config files, or backup archives, attackers don't need to hack — they just browse. Here's what to look for and how to lock things down.

web securitymisconfigurationadmin panel
explainer5 min read

HTTPS and SSL: Why Every School Website Needs It

HTTPS encrypts traffic between your school website and visitors. Without it, login credentials, student data, and form submissions travel in plain text — readable by anyone on the same network.

HTTPSSSLTLS
explainer4 min read

HSTS Explained: Locking Your School Site to HTTPS

HTTPS encrypts your site, but HSTS ensures browsers never even try to connect over plain HTTP. It's a one-line header that closes a real attack window — and every school site running HTTPS should have it.

HSTSHTTPSsecurity headers
explainer6 min read

Content Security Policy: Blocking Injected Scripts on School Sites

A Content Security Policy (CSP) header tells browsers which scripts, styles, and resources your site is allowed to load. It's one of the most effective defenses against cross-site scripting (XSS) attacks.

CSPXSSsecurity headers
explainer4 min read

X-Frame-Options: Preventing Clickjacking on School Sites

X-Frame-Options stops attackers from embedding your school's website inside a hidden iframe to trick users into clicking buttons or submitting forms they can't see. A one-line header, a real threat prevented.

X-Frame-Optionsclickjackingsecurity headers
explainer4 min read

Server Information Disclosure: Why Hiding Your Stack Matters

When your web server announces its software name and version in every response header, you're handing attackers a shortcut. Here's what server information disclosure is, what it reveals, and how to suppress it.

server headersinformation disclosurehardening
explainer5 min read

Cookie Security Flags: Protecting Session Cookies on School Sites

Session cookies are the keys to your school's admin panels, portals, and CMS. Missing Secure and HttpOnly flags make them easy to steal. Here's what each flag does and how to set them.

cookiessession securityHttpOnly
explainer5 min read

CORS Misconfiguration: When Your School's API Trusts Everyone

Cross-Origin Resource Sharing (CORS) controls which websites can call your school's APIs. A misconfigured CORS policy can let any website on the internet read your student data or trigger admin actions.

CORSAPI securityweb security
explainer5 min read

SPF Records: Stopping Attackers From Spoofing Your School's Email

Without an SPF record, anyone can send email that appears to come from @yourschool.edu.ph. SPF is a DNS record that tells mail servers which servers are authorized to send on your behalf — and it takes 10 minutes to set up.

SPFemail securityDNS
explainer5 min read

DKIM: Cryptographic Proof That Your School's Email Is Genuine

DKIM adds a digital signature to every email your school sends. Receiving mail servers use this signature to verify the message was genuinely sent by you and hasn't been altered in transit.

DKIMemail securityDNS
explainer6 min read

DMARC: The Policy That Actually Enforces Email Authentication

SPF and DKIM check your email, but DMARC tells receiving servers what to do when those checks fail — and sends you reports of who's sending email as your school. It's the final piece of the email security puzzle.

DMARCemail securityDNS
explainer6 min read

Missing Privacy Elements: What Philippine Schools Must Display Online

RA 10173 requires schools to inform individuals about how their data is collected and used. Missing a privacy policy, cookie notice, or consent language isn't just a gap — it's a compliance violation that can trigger NPC investigation.

RA 10173DPAprivacy policy
explainer5 min read

CMS Version Exposure: Why Your WordPress Version Shouldn't Be Public

Many school websites broadcast their WordPress, Drupal, or Joomla version number in the page source. Attackers use this to target known vulnerabilities. Here's where it leaks and how to hide it.

WordPressCMSversion disclosure
explainer8 min read

Shared Hosting and Web Shells: How One Account Compromise Takes Down Multiple Schools

Shared hosting is cheap and easy — but when attackers compromise one account, every site on it falls. Here's how web shell attacks work and what schools can do instead.

shared hostingweb shellscPanel

Templates

Ready-to-use policy templates

template12 min read

Data Privacy Policy Template for Philippine Schools

A ready-to-customize privacy policy template that meets DPA requirements. Just fill in your school's details and you're compliant.

templateprivacy policyDPA
template10 min read

Incident Response Plan Template for Philippine Schools

A ready-to-use incident response plan template covering the full breach lifecycle — from detection to recovery. Customize with your school's contacts and procedures.

incident responsebreach responsetemplate

Know Your Rights Under the Data Privacy Act

The Data Privacy Act of 2012 (RA 10173)protects all Filipino citizens, including students and parents. Schools are considered "personal information controllers" and must:

  • Implement reasonable security measures to protect personal data
  • Notify the NPC and affected individuals within 72 hours of a breach
  • Appoint a Data Protection Officer (DPO)
  • Conduct Privacy Impact Assessments for high-risk processing
  • Only collect data that is necessary and relevant
  • Allow data subjects to access, correct, and delete their data

Report breaches to the National Privacy Commission (NPC) at privacy.gov.ph

Put Knowledge Into Action

Use our free cybersecurity tools to assess your school's security posture and identify areas for improvement.

Try Free Security Tools