SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Data Exposure
MediumConfirmed

IBA College of Mindanao Inc.

On May 3, 2026, IBA College of Mindanao Inc. was publicly named in two threat-actor Facebook posts (Nullsec Philippines and the affiliated 4b1smo account) claiming access to 500+ student records, with screenshot evidence and a downloadable-file link. The institution responded publicly via its BSIT department's official Facebook page with a statement confirming a security breach of its website but specifically denying a deeper compromise: only the website administrator account was affected, the LMS server is on separate infrastructure and was not accessed, and the institution states the data being claimed by external parties is not from its system. The school's denial and the threat actor's claim are presented side-by-side on this entry; both positions are documented and neither is endorsed by SchoolBreach.org pending independent forensic review or NPC findings.

May 3, 2026Valencia City, Bukidnon, Northern MindanaoDisputed: institution states no sensitive information leaked; threat actor claims 500+ student records records affected

Key Facts

Date of Incident
May 3, 2026
Date Discovered
May 3, 2026
Records Affected
Disputed: institution states no sensitive information leaked; threat actor claims 500+ student records
Source
IBA College of Mindanao Inc. (Facebook statement, May 3, 2026); Nullsec Philippines + 4b1smo (Facebook claim posts)
Data Types Exposed
Website administrator account credentials (institution-confirmed)Student information (claimed by threat actor; denied by institution)
Response / Action Taken

On May 3, 2026, IBA College of Mindanao Inc. issued a public statement via its BSIT department's official Facebook page (IBACM - Valencia) confirming a security breach of its website. The institution states that only the website administrator account was compromised, that the LMS server is on separate infrastructure and was not accessed, and that the data being claimed by external parties is not from its system. SchoolBreach.org has updated this entry's status to 'confirmed' on the basis of the school's acknowledgment, in accordance with the methodology's right-of-reply framework. Subsequent updates will follow if the institution issues additional statements, if the National Privacy Commission opens proceedings, or if independent reporting reviews the disputed dataset.

Institution Statement

IBA College of Mindanao Inc. issued a public statement on its Bachelor of Science in Information Technology (BSIT) department's official Facebook page (IBACM - Valencia) responding to the threat-actor claims. The full text of the statement, reproduced verbatim:

"Announcement about the recent security breach of IBA College of Mindanao Inc. website

We confirm that only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems.

The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated.

No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system."

The institution's position is:

  1. 1.A security incident did occur, and it is publicly acknowledged
  2. 2.The compromise was limited to a single administrator account on the website
  3. 3.The website and the LMS are on separate infrastructure; only the website was affected
  4. 4.There is no evidence the LMS was reached
  5. 5.The institution disputes that the data the threat actor is circulating belongs to its system

Per SchoolBreach.org's right-of-reply policy, this statement is published in full and unedited. The institution is invited to provide updated statements at any time as the investigation progresses; updates will be appended above this entry's existing record.

What Happened

On May 3, 2026, IBA College of Mindanao Inc. was publicly named in two separate threat-actor Facebook posts within roughly seven hours of each other:

The earlier post: an account posting under the Nullsec Philippines banner, signed "Nostra & friends", addressed the institution with the framing "knock knock — because of your negligence, your users are affected again. Because of that, you deserve to be hit." The post claimed "500+ student info? I have a copy" and included two `site-shot.com` screenshot URLs as visual evidence (specific URLs withheld on this site).

The follow-up: a separate account ("4b1smo") posted "IBA College of Mindanao Inc. student info leak" with a public file-sharing download link (specific host and path withheld). Nullsec Philippines re-shared this second post on its main page. As of the time of this entry, the 4b1smo follow-up post is no longer visible on its origin account, though the primary Nullsec post remains.

The two-post pattern — a primary claim with screenshot evidence followed by a separate account distributing a download link a few hours later — is consistent with the operational handoff seen in earlier Nullsec / collaborator activity tracked on this site, where one account makes the disclosure and a second account hosts the data dump.

The Conflict Between the Two Positions

The institution's statement directly contradicts three of the threat actor's specific claims:

TopicInstitution's positionThreat actor's claim
Scope of compromise"Only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems."Implied broader access via the "your users are affected again" framing
LMS access"The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated."Posted screenshot URLs presented as evidence of access to student information
Data authenticity"No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system."Distributed a download link claiming to host "500+ student info"

This entry does not adjudicate between the two positions. The institution's statement is the most authoritative source available, but the threat actor still possesses (or claims to possess) a specific dataset, and the screenshots they posted have not been forensically reviewed by an independent third party. Both positions are preserved for the public record. Updates will follow if any of the following occur:

  • The institution provides further statements (technical post-mortem, NPC notification, dataset-specific denial)
  • An independent third party (Deep Web Konek, NPC, media) reviews the dataset the threat actor is circulating and reports findings
  • The threat actor provides additional evidence or withdraws the claim

Why This Matters

  • First school in the May batch to exercise the right of reply — IBA College of Mindanao Inc. is, as of this entry, the first institution among the May 2026 Nullsec/Fawkes/Crypt0nymz batch to issue a public statement on its own systems. That is the methodology-correct response and is the basis for moving this entry from "investigating" to "confirmed" on the SchoolBreach.org tier framework, regardless of whether the substance of the school's denial is later corroborated
  • Sets a transparency benchmark for peer institutions — institutions that issued no statement at all (the majority of the May batch) appear less responsive by comparison, even when the underlying incident is identical in scope
  • Repeat-victim framing in the threat-actor post — the actor's "your users are affected again" language is operationally significant and worth flagging for the institution's internal investigation regardless of the school's public position. If "again" refers to an earlier real compromise, that earlier event may warrant separate review even if the current one is contained as the school describes
  • Distributed disclosure pattern — claim and download surface on different accounts within hours, expanding distribution and complicating takedown requests; this remains a generalizable risk for the sector even where, as the school states, no actual data was leaked

Attacker

The primary post was signed "Nostra & friends" under the Nullsec Philippines banner. The follow-up was published by 4b1smo, a Facebook account that Nullsec Philippines began publicly promoting on May 3, 2026 ("follow this new page of Nos thanks"). The two accounts are operationally linked: 4b1smo's posts have been re-shared on the Nullsec Philippines main page, and at least one 4b1smo post identifies itself as "the side of Nostra".

The handles are part of the broader Nullsec / Fawkes Pilipinas / Crypt0nymz collective documented across many entries on this site, including the DepEd Training Platform CSV leak (May 3), the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), the San Juan, Batangas Catholic K-12 claim (May 1), and the Rosario, Batangas private school claim (April 28).

Recommended Actions Already Taken (per institution statement)

The institution's own account of remediation is preserved here:

  • The website administrator account compromise was identified
  • The institution states the LMS infrastructure was not affected
  • The institution states no sensitive information was leaked

Recommended Additional Actions

For completeness, beyond the steps the institution states it has already taken, the following are worth confirming were also performed:

  1. 1.Forensic verification of the LMS infrastructure separation — the institution's claim that "the LMS server and website are separate" is straightforwardly defensible if confirmed by an independent third party reviewing access logs, network topology, and shared-credential surfaces
  2. 2.Review of the threat actor's screenshots and downloadable file — even if the institution's position is that the data is not authentic to its system, an internal review of the specific records the actor is distributing helps establish what the actor thinks they have, which is useful context for defending against follow-up activity
  3. 3.NPC notification under RA 10173 — even where the institution's position is that no sensitive information was leaked, a personal-information controller should consider whether a notification is warranted given the public nature of the claim and the institution's own confirmation that some breach occurred
  4. 4.Coordinate takedown with the file-sharing host hosting the disputed dataset, regardless of the institution's position on its authenticity — the file's continued availability under the institution's name is itself a reputational concern
  5. 5.Investigate the "your users are affected again" framing — if the actor's reference to a prior incident has any factual basis, that earlier event may warrant separate internal review

Institution Statement

Right of Reply — Official statement from the named institution

Announcement about the recent security breach of IBA College of Mindanao Inc. website. We confirm that only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems. The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated. No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system.

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    IBA College of Mindanao Inc. — official statement on the website security breach (Facebook) — Public statement from IBA College of Mindanao Inc. shared on the institution's Bachelor of Science in Information Technology (BSIT) department's official Facebook page (IBACM - Valencia), confirming that the website administrator account was compromised but stating the LMS was not accessed and disputing the threat actor's data-leak claim (May 3, 2026).
    Accessed: May 4, 2026
  2. [2]
    Nullsec Philippines primary claim post (Facebook) — Primary threat-actor claim of 500+ student records, signed 'Nostra & friends', with two site-shot.com screenshot URLs as evidence (May 3, 2026).
    Accessed: May 3, 2026
  3. [3]
    4b1smo follow-up post with download link (Facebook) — Follow-up post on a Nullsec-affiliated account distributing a downloadable file on a public file-sharing host (May 3, 2026). Subsequently appears to have been removed from this account, though the primary Nullsec post remains.
    Accessed: May 3, 2026
Valencia CityBukidnonNorthern Mindanaoprivate collegewebsite breachadministrator account compromiseschool statementright of replydisputed claimNullsecPhilippines4b1smoNostra2026

Related Incidents

High

Technological University of the Philippines - Manila

July 4, 2026

Low

A foundation college in Mindanao

May 3, 2026

Medium

A private university in Metro Manila

July 14, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources