Our Methodology
How we verify, classify, and publish cybersecurity incidents affecting Philippine schools — and how institutions can respond.
Why This Tracker Exists
Schools hold some of the most sensitive data in the Philippines — children's personal information, family details, medical records, and government IDs. Yet most schools lack the resources and awareness to protect this data.
SchoolBreach.org exists to raise awareness, document attack patterns, and help schools learn from incidents before they become victims themselves. Every entry we publish is guided by a single question: does this serve the protection of student data?
We are not a naming-and-shaming platform. We are a public-interest resource operated by OceanEd Inc., and we hold ourselves to the editorial standards described on this page.
Editorial Principles
Every entry on this tracker is governed by five principles:
Accuracy
Every claim is backed by verifiable evidence. We never present allegations as established facts.
Proportionality
The detail we publish matches the strength of the evidence. Weaker evidence means less identifying information.
Good Faith
Our sole purpose is public awareness and student data protection. We do not publish for commercial advantage or institutional harm.
Neutral Language
All entries use factual, non-sensational language. We never characterize institutions as negligent or irresponsible.
Right of Reply
Every named institution has a standing right to respond, correct, or provide context — and those responses are published prominently.
How We Verify Sources
We classify every source by reliability before deciding how much identifying detail to publish.
| Source tier | Examples | What it means |
|---|---|---|
| Official | National Privacy Commission decisions, school public statements, government advisories, court filings | Independently verifiable. Strongest basis for publication. |
| Media | Major news outlets (Inquirer, Rappler, GMA), cybersecurity media (BleepingComputer, The Record), credible independent journalists | Published under editorial standards. Supports naming the institution with attribution. |
| Unverified | Threat actor claims, dark web postings, social media screenshots, paste sites, unverified forum posts | Cannot be independently confirmed. Requires corroboration before the institution is named. |
Verification steps
- 1
Classify the source — determine the original source and assign a reliability tier.
- 2
Cross-reference — look for at least one additional independent source. For unverified sources, a second source is mandatory before any institution is named.
- 3
Archive evidence — save all source materials (Wayback Machine snapshots, screenshots with timestamps, PDF exports) at the time the entry is created.
- 4
Review language — ensure all text is factual and neutral. Use attribution phrasing (“threat actor claimed,” “reportedly,” “allegedly”) for all unconfirmed claims.
- 5
Notify the institution — make a good-faith effort to contact the affected school through publicly available channels before or at the time of publication.
AI assistance disclosure
We use AI tools to assist with research, summarization, and report drafting. All AI-assisted content is reviewed by a human editor before publication. AI is never the sole source for any factual claim.
Tiered Disclosure Framework
The identifying detail we publish is proportional to the evidence we have. Stronger evidence means more detail. Weaker evidence means the institution is anonymized.
Full details published
The institution's name, location, affected systems, and incident details are published.
Required evidence: An official source (NPC finding, school acknowledgment) — or a credible media report where the institution did not dispute the facts within 30 days of notification.
Named with attribution
The institution's name and city are published, with all claims clearly attributed to the reporting source.
Required evidence: At least one credible media report from an outlet with editorial standards. All unconfirmed details use attribution language (“according to,” “reportedly”).
Fully anonymized
The institution is described generically — for example, “a public university in Eastern Visayas.” No school name, no city, no system name, no details that narrow identification to a single institution.
Required evidence: A single unverified source (threat actor claim, social media post) with no independent corroboration. The entry documents the attack vector and lessons learned without identifying the school.
How entries move between tiers
Unconfirmed→InvestigatingWhen a credible media report or second independent source is identified. The entry is de-anonymized.
Investigating→ConfirmedWhen the institution acknowledges the incident, the NPC publishes a finding, or the institution does not dispute the entry within 30 days of notification.
Any tier→RemovedIf evidence is fabricated or the institution demonstrates no breach occurred. A correction notice is published.
Confirmed / Investigating→UnconfirmedIf previously corroborating evidence is retracted or discredited. The entry reverts to anonymized status.
Language Standards
The language used in each entry is tied to its tier:
Confirmed entries
Factual declarative language. “DepEd Laguna's database was breached, exposing 7 million records according to NPC findings.”
Investigating entries
Attribution language is required. “According to a BleepingComputer report, a threat actor claimed to have accessed the university's student records system.”
Unconfirmed entries
Maximum hedging and full anonymization. “An unverified claim surfaced alleging data exposure at a public university in the Eastern Visayas region.”
Personal Data Handling
SchoolBreach.org does not publish personal data of individuals affected by breaches. Our entries describe incidents at the institutional level only:
No student names, ID numbers, contact information, or academic records are ever published.
No employee personal details are published, except publicly identified spokespersons acting in their official capacity.
Threat actor aliases are included only when they are already part of the public record.
NPC breach notifications may be referenced but are not reproduced in full.
Corrections & Right of Reply
Every institution named on this tracker has a standing right to respond. We take correction requests seriously — our goal is accuracy, not volume.
How to submit a response
An authorized representative of the institution may contact us through:
- Email: [email protected] — subject line: “SchoolBreach — Right of Reply — [Institution Name]”
- Contact form: theoceaned.com/contact
Please include your name and position, the specific entry you are addressing, and the factual basis for your correction or context.
What happens next
- 1
Acknowledgment — we respond within 3 business days confirming receipt.
- 2
Review — our team reviews the submission within 10 business days. If we need further verification, we will reach out.
- 3
Institution response published — if you provide a statement, it is published in full and unedited as a clearly labeled “Institution Statement” on the entry page.
- 4
Correction issued — if a factual error is confirmed, we correct the entry within 5 business days with a visible correction notice and date.
- 5
Removal — if you demonstrate that no breach occurred, the entry is removed and a correction notice is published explaining the removal.
Is an entry about your school inaccurate?
Every breach entry page includes an “Is This Entry Inaccurate?” card with a direct link to submit a correction. You can also reach us at [email protected] at any time.
Policy Updates
This methodology is reviewed at least once a year, or whenever there is a material change in Philippine law affecting data privacy, cybersecurity disclosure, or defamation. The current version was published in March 2026.
If you have questions about our editorial process, contact us at [email protected].
Know of a Breach? Help Us Stay Complete.
If you know of a Philippine school data breach not yet documented here, you can report it confidentially. We review every submission.