What Happened
On March 31, 2026, the threat actor group Fawkes Pilipinas published a post on Facebook addressed to a private college in Bulacan. The message was framed around "concerns and allegations" related to discrimination, bullying, and inclusivity within the school — a common hacktivism pretext used by this group to justify data releases.
The post included a direct download link to a 4MB+ CSV file hosted on MediaFire, which the group presented as data exfiltrated from the college's systems.
Hacktivism Framing
Fawkes Pilipinas framed the breach as a social awareness action, stating: "Recent discussions from students and advocacy groups have highlighted claims related to discrimination, bullying, and concerns about inclusivity within the school environment. While these reports may not all be officially verified, they reflect experiences that deserve attention and proper review."
This framing is consistent with prior Nullsec Philippines operations, where social grievances (real or fabricated) are cited as justification for unauthorized data exfiltration and public exposure of student records.
What Was Allegedly Compromised
Based on the threat actor's post:
- File format: CSV
- File size: 4MB+
The actual contents of the file have not been independently verified. Given the file size and CSV format, the data likely includes structured records from one or more of the college's internal databases — potentially containing student or employee PII.
Note on school identity: The name of the institution has been withheld as this claim comes solely from the threat actor, with no independent confirmation from the school, media, or official sources.
Note on data contents: No sample records have been publicly shared, so the specific data fields and whether passwords were included (or stored in plaintext) is unknown at this time.
Attacker
The post was signed by members of Fawkes Pilipinas, with greetz to:
- X10n, Ch4nc3ll0rx.1337, crypt0nymz, 0xSeve, Ph.sydn3y, Lei$
Special greetz to: Nullsec Philippines, Zeus, Cyberfr0st, nomxrcy, Mr.Astra, 0xTerror
Several of these handles — including crypt0nymz — were also credited in the breach of a private school in Tagum City in early March 2026, confirming overlapping membership between Fawkes Pilipinas and Nullsec Philippines.
Why This Breach Matters
- 4MB+ of structured CSV data — this is a full database export, not a token sample, suggesting substantial access to internal systems
- Escalating pattern — Fawkes Pilipinas and Nullsec Philippines have conducted at least a dozen documented attacks on Philippine educational institutions in 2026 alone
- No institutional response — the college has not issued any public statement confirming or denying the breach
Resolution
As of April 2026, a review of the institution's website indicates the underlying issue appears to have been resolved. No official acknowledgement or public statement from the institution regarding the breach has been found.
Recommended Actions for the Institution
- 1.Immediately investigate the claimed breach — determine whether unauthorized access occurred and what data was affected
- 2.Notify the National Privacy Commission (NPC) within 72 hours if the breach is confirmed, as required by the Data Privacy Act of 2012
- 3.Audit database access logs — determine how the data was exfiltrated and whether additional access occurred
- 4.Notify affected students and staff if their data was compromised
- 5.Review password storage practices — if credentials were included in the exfiltrated data, ensure passwords are hashed using bcrypt, scrypt, or Argon2 rather than stored in plain text
- 6.Conduct a full security assessment of all web-facing systems