Institution Statement
IBA College of Mindanao Inc. issued a public statement on its Bachelor of Science in Information Technology (BSIT) department's official Facebook page (IBACM - Valencia) responding to the threat-actor claims. The full text of the statement, reproduced verbatim:
"Announcement about the recent security breach of IBA College of Mindanao Inc. website
We confirm that only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems.
The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated.
No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system."
The institution's position is:
- 1.A security incident did occur, and it is publicly acknowledged
- 2.The compromise was limited to a single administrator account on the website
- 3.The website and the LMS are on separate infrastructure; only the website was affected
- 4.There is no evidence the LMS was reached
- 5.The institution disputes that the data the threat actor is circulating belongs to its system
Per SchoolBreach.org's right-of-reply policy, this statement is published in full and unedited. The institution is invited to provide updated statements at any time as the investigation progresses; updates will be appended above this entry's existing record.
What Happened
On May 3, 2026, IBA College of Mindanao Inc. was publicly named in two separate threat-actor Facebook posts within roughly seven hours of each other:
The earlier post: an account posting under the Nullsec Philippines banner, signed "Nostra & friends", addressed the institution with the framing "knock knock — because of your negligence, your users are affected again. Because of that, you deserve to be hit." The post claimed "500+ student info? I have a copy" and included two `site-shot.com` screenshot URLs as visual evidence (specific URLs withheld on this site).
The follow-up: a separate account ("4b1smo") posted "IBA College of Mindanao Inc. student info leak" with a public file-sharing download link (specific host and path withheld). Nullsec Philippines re-shared this second post on its main page. As of the time of this entry, the 4b1smo follow-up post is no longer visible on its origin account, though the primary Nullsec post remains.
The two-post pattern — a primary claim with screenshot evidence followed by a separate account distributing a download link a few hours later — is consistent with the operational handoff seen in earlier Nullsec / collaborator activity tracked on this site, where one account makes the disclosure and a second account hosts the data dump.
The Conflict Between the Two Positions
The institution's statement directly contradicts three of the threat actor's specific claims:
| Topic | Institution's position | Threat actor's claim |
|---|---|---|
| Scope of compromise | "Only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems." | Implied broader access via the "your users are affected again" framing |
| LMS access | "The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated." | Posted screenshot URLs presented as evidence of access to student information |
| Data authenticity | "No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system." | Distributed a download link claiming to host "500+ student info" |
This entry does not adjudicate between the two positions. The institution's statement is the most authoritative source available, but the threat actor still possesses (or claims to possess) a specific dataset, and the screenshots they posted have not been forensically reviewed by an independent third party. Both positions are preserved for the public record. Updates will follow if any of the following occur:
- The institution provides further statements (technical post-mortem, NPC notification, dataset-specific denial)
- An independent third party (Deep Web Konek, NPC, media) reviews the dataset the threat actor is circulating and reports findings
- The threat actor provides additional evidence or withdraws the claim
Why This Matters
- First school in the May batch to exercise the right of reply — IBA College of Mindanao Inc. is, as of this entry, the first institution among the May 2026 Nullsec/Fawkes/Crypt0nymz batch to issue a public statement on its own systems. That is the methodology-correct response and is the basis for moving this entry from "investigating" to "confirmed" on the SchoolBreach.org tier framework, regardless of whether the substance of the school's denial is later corroborated
- Sets a transparency benchmark for peer institutions — institutions that issued no statement at all (the majority of the May batch) appear less responsive by comparison, even when the underlying incident is identical in scope
- Repeat-victim framing in the threat-actor post — the actor's "your users are affected again" language is operationally significant and worth flagging for the institution's internal investigation regardless of the school's public position. If "again" refers to an earlier real compromise, that earlier event may warrant separate review even if the current one is contained as the school describes
- Distributed disclosure pattern — claim and download surface on different accounts within hours, expanding distribution and complicating takedown requests; this remains a generalizable risk for the sector even where, as the school states, no actual data was leaked
Attacker
The primary post was signed "Nostra & friends" under the Nullsec Philippines banner. The follow-up was published by 4b1smo, a Facebook account that Nullsec Philippines began publicly promoting on May 3, 2026 ("follow this new page of Nos thanks"). The two accounts are operationally linked: 4b1smo's posts have been re-shared on the Nullsec Philippines main page, and at least one 4b1smo post identifies itself as "the side of Nostra".
The handles are part of the broader Nullsec / Fawkes Pilipinas / Crypt0nymz collective documented across many entries on this site, including the DepEd Training Platform CSV leak (May 3), the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), the San Juan, Batangas Catholic K-12 claim (May 1), and the Rosario, Batangas private school claim (April 28).
Recommended Actions Already Taken (per institution statement)
The institution's own account of remediation is preserved here:
- The website administrator account compromise was identified
- The institution states the LMS infrastructure was not affected
- The institution states no sensitive information was leaked
Recommended Additional Actions
For completeness, beyond the steps the institution states it has already taken, the following are worth confirming were also performed:
- 1.Forensic verification of the LMS infrastructure separation — the institution's claim that "the LMS server and website are separate" is straightforwardly defensible if confirmed by an independent third party reviewing access logs, network topology, and shared-credential surfaces
- 2.Review of the threat actor's screenshots and downloadable file — even if the institution's position is that the data is not authentic to its system, an internal review of the specific records the actor is distributing helps establish what the actor thinks they have, which is useful context for defending against follow-up activity
- 3.NPC notification under RA 10173 — even where the institution's position is that no sensitive information was leaked, a personal-information controller should consider whether a notification is warranted given the public nature of the claim and the institution's own confirmation that some breach occurred
- 4.Coordinate takedown with the file-sharing host hosting the disputed dataset, regardless of the institution's position on its authenticity — the file's continued availability under the institution's name is itself a reputational concern
- 5.Investigate the "your users are affected again" framing — if the actor's reference to a prior incident has any factual basis, that earlier event may warrant separate internal review
Institution Statement
Right of Reply — Official statement from the named institution
Announcement about the recent security breach of IBA College of Mindanao Inc. website. We confirm that only the administrator account of the WEBSITE was compromised. This incident was isolated and did not affect the systems. The LMS server and website are separate, and there is no evidence that the LMS server was accessed or penetrated. No sensitive information has been leaked, and the data being claimed as ours by external parties is not from our system.Sources & References
All sources are independently verified. Access dates and archive links are recorded for each citation.
- [1]IBA College of Mindanao Inc. — official statement on the website security breach (Facebook) — Public statement from IBA College of Mindanao Inc. shared on the institution's Bachelor of Science in Information Technology (BSIT) department's official Facebook page (IBACM - Valencia), confirming that the website administrator account was compromised but stating the LMS was not accessed and disputing the threat actor's data-leak claim (May 3, 2026).Accessed: May 4, 2026
- [2]Nullsec Philippines primary claim post (Facebook) — Primary threat-actor claim of 500+ student records, signed 'Nostra & friends', with two site-shot.com screenshot URLs as evidence (May 3, 2026).Accessed: May 3, 2026
- [3]4b1smo follow-up post with download link (Facebook) — Follow-up post on a Nullsec-affiliated account distributing a downloadable file on a public file-sharing host (May 3, 2026). Subsequently appears to have been removed from this account, though the primary Nullsec post remains.Accessed: May 3, 2026