What Happened
On December 8, 2014, Rappler reported that the database of the Ateneo Law School website was hacked, with student user accounts leaked online. The breach targeted the school's online Student Access Module at law.ateneo.edu.
The perpetrator was identified as AnonCalapan, the official Philippine branch of the international AnonGhost hacking network — named after the city of Calapan, capital of Oriental Mindoro province.
What Was Compromised
The hackers leaked:
- Usernames of Ateneo Law School students
- Passwords (stored in plaintext or easily reversible format)
- Full names of students who logged into the Student Access Module
Both the Student Access Module and the official Ateneo Law School website (law.ateneo.edu) were taken down following the breach.
Political Motivation
The leaked file contained political messaging:
- A paragraph about the education of President Benigno "Noynoy" Aquino III (Ateneo de Manila University graduate, class of 1981, BS Economics)
- Hashtags: #OPYOLANDA, #PURISIMA, #NOYNOY, #FUCKTHESYSTEM
The attack was tied to:
- 1.#OpYolanda — Criticism of the Aquino administration's handling of Typhoon Yolanda (Hainan), which devastated the Philippines on November 8, 2013, killing over 6,300 people
- 2.#Purisima — Referring to PNP Chief Alan Purisima, whose controversial role was already a point of political tension in late 2014
Broader Context: 2014 Philippine Hacktivism Wave
The Ateneo hack occurred during a wave of hacktivism in the Philippines:
- November 3, 2014 — Anonymous Philippines launched defacement attacks on government websites over slow Typhoon Yolanda relief
- November 8, 2014 — A second wave called "Operation Infosurge" launched on the first anniversary of Typhoon Yolanda
- December 5, 2014 — Philippine government websites were still down or defaced a month after attacks
- December 8, 2014 — The Ateneo Law School hack was reported
AnonGhost had been actively attacking Philippine websites since early 2013, defacing 130+ Philippine websites including government sites, educational institutions, and private organizations.
Why This Breach Matters
- Early credential exposure — Unlike website defacements, this attack specifically targeted and leaked student credentials, foreshadowing the database-focused attacks that would become dominant years later
- Prestigious institution targeted — Ateneo Law School is one of the Philippines' most prominent law schools, demonstrating that institutional prestige offers no protection
- Politically motivated — The hack showed how schools could become collateral targets in broader political hacktivist campaigns
- Password security failure — The exposure of plaintext or reversible passwords highlighted fundamental security practices that many institutions still had not adopted
Lessons for Schools
- 1.Hash and salt all passwords — plaintext or reversible password storage is never acceptable
- 2.Separate public-facing and sensitive systems — student portals with credentials should not share infrastructure with public websites
- 3.Schools can be political targets — institutions may be targeted not for their data, but for their symbolic association with political figures or causes
- 4.Incident response planning — the need to take down both the portal and main website suggests a lack of system segmentation
Sources & References
- [1]Rappler — Database of Ateneo Law School website hacked (December 8, 2014)
- [2]HackRead — 130+ Philippines Websites Hacked by AnonGhost
- [3]Newsbytes.PH — PH gov't websites still down, defaced a month after attacks (December 5, 2014)