SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Database Leak
CriticalUnconfirmed

A private IT-focused university chain in the Philippines

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

On May 27, 2026, a Facebook page operating under the name 'Quantum Security Group' (QSG), signed by the handle '#ch4nc3ll0rx_1337', claimed in a public post addressed to a private IT-focused university chain in the Philippines that they had compromised one of the institution's subdomain portals and exfiltrated ≈200,100 student records along with ≈4,044 records of submitted student-requirement documents (transcripts, birth certificates, Form 138/137, diplomas, government IDs, and other personal documentation). The actor framed the disclosure around the irony that the institution publicly markets cybersecurity courses and programs. The institution has not issued a public statement. This entry is recorded as 'unconfirmed' on the basis of the single threat-actor claim; specific identifying URLs, the exfiltrated proof links, and the actor's download URLs are not reproduced on this site.

May 27, 2026≈200,100 student records and ≈4,044 student-requirement document submissions claimed by the threat actor records affected

Key Facts

Date of Incident
May 27, 2026
Date Discovered
May 27, 2026
Records Affected
≈200,100 student records and ≈4,044 student-requirement document submissions claimed by the threat actor
Source
Quantum Security Group / #ch4nc3ll0rx_1337 (Facebook)
Data Types Exposed
Student personally identifiable information (PI) and sensitive personally identifiable information (SPI) (claimed)Student academic profile / 'life summary' fields (claimed)Transcript of Records (claimed)Birth Certificates (claimed)Form 138 Report Card (claimed)Form 137 (claimed)Diploma (claimed)Good Moral certificates (claimed)Passport scans (claimed)PWD ID (claimed)SSS ID (claimed)TIN ID (claimed)UMID ID (claimed)National ID (claimed)Driver's License (claimed)Certificate of Employment (claimed)Marriage Certificate (claimed)
Response / Action Taken

On May 28, 2026, the institution's Data Privacy Office privately acknowledged receipt of a courtesy notification from this site, replying that the matter had been routed to their information security team. This is a private acknowledgement and is not a public statement; the entry remains anonymized pending public confirmation. No public advisory, no statement from the National Privacy Commission, and no independent reporting has been observed at the time of this entry. The status will be updated if and when the institution publishes an advisory, the NPC publishes a finding, or independent reporting confirms the access vector, the authenticity of the claimed dataset, and remediation. The institution is urged to treat the document categories enumerated by the threat actor as compromised regardless of forensic verification status, given the immediate identity-fraud risk to the affected student population.

Single-source notice: This incident is based on a single public post by a self-identified threat actor. No mainstream news outlet has reported on it, no independent researcher has corroborated it, and the institution has not issued a public statement. The claim remains unverified and the institution's name has been redacted pending verification.

Proof-of-exfiltration URLs included in the threat-actor post (base64-encoded links pointing to paste-text and file-sharing services) are not reproduced on this site, in line with the methodology of refusing to amplify breach distribution.

What Happened

On May 27, 2026, a Facebook page operating under the name "Quantum Security Group" (QSG), signed by the handle "#ch4nc3ll0rx_1337", published a long public post addressing a private IT-focused university chain in the Philippines. The post followed a short teaser the prior evening that named the institution but did not yet disclose any data; the full claim was made the following morning.

The actor stated that they had:

  • Gained access to "one of your subdomains portal" — a non-primary web property on the institution's domain rather than the main public website
  • Exfiltrated ≈200,100 student records described as containing personally identifiable information (PI), sensitive personally identifiable information (SPI), and what the actor sarcastically referred to as the "life summary of each student"
  • Separately exfiltrated ≈4,044 student-requirement document submissions — the digitized supporting documents students upload to the portal

Document Categories Allegedly Exfiltrated

The post enumerated the following document types as having been retrieved from the student-requirements section of the portal. Each is reproduced here at the categorical level only; no sample data is presented on this site.

  • Academic records: Transcript of Records, Form 138 Report Card, Form 137, Diploma, Good Moral certificates
  • Government-issued identification: Passport, PWD ID, SSS ID, TIN ID, UMID ID, National ID, Driver's License
  • Civil-status / employment records: Birth Certificate, Marriage Certificate, Certificate of Employment

This combination is unusual in its breadth. A single government-issued ID exposed is already sufficient to enable identity fraud; a portal that aggregates seven different categories of government-issued IDs alongside birth and marriage certificates concentrates the entire identity-theft kit for each affected student in one location.

Threat-Actor Framing and Tone

The post is sarcastic and pointed. The actor explicitly tied the breach to the institution's own marketing of cybersecurity offerings, writing that an institution that advertises "courses and college programs" in cybersecurity "should ensure that your website infrastructure is properly secured and maintained" so that "people or students would have the confidence that you are indeed applying what you teach in your own."

The post closes by instructing the institution to "activate your incident response playbook," to "notify the relevant authorities, such as the DICT," and to "begin a full root cause analysis" — language that mimics standard incident-response advice while making clear the actor does not intend to disclose the access vector.

The actor identifies as "#ch4nc3ll0rx_1337" writing on behalf of "Quantum Security Group" (QSG). The QSG page describes itself as "Not your ordinary HACKTIVISTS, This is HELL," and the actor's handle and signature are consistent with "Ch4nc3ll0rx.1337" — a name previously listed in the greetz lines of the Saint Joseph College of Rosario Batangas disclosure (April 28, 2026), which suggests the same individual or persona has been active across multiple recent claims.

Why the Methodology Treats This as 'Unconfirmed'

This entry is fully anonymized and tagged as `unconfirmed` because:

  • The only public source is the threat actor's own Facebook post
  • No corroborating media coverage has been observed
  • No NPC finding is available
  • No public statement has been issued by the institution
  • The actor has provided base64-encoded links pointing to a paste-text service and a file-sharing host; these links are not visited or reproduced on this site, and their contents — if authentic — cannot substitute for an independent forensic confirmation

If the institution issues a statement, if reputable Philippine technology media independently reports the breach, or if the NPC publishes a finding, this entry will be updated and de-anonymized in line with the SchoolBreach.org methodology.

Why This Claim Warrants Attention

  • Scale. If the ≈200,100 student-record figure is even approximately correct, this is one of the larger single-institution disclosures of 2026 in the Philippine education sector, sitting alongside the DepEd OVAP (210,020 records, 2024) and DepEd training-platform (≈1 M records, 2026) incidents in order of magnitude.
  • Aggregation of identity documents. The portal evidently functioned as a one-stop document repository — academic credentials, government-issued IDs across seven categories, and civil-status records — concentrating the identity-fraud value of each affected student in a single dataset.
  • Subdomain attack surface. The actor states the access was via a subdomain portal rather than the main public website. Subdomains used for student-requirements upload and admissions workflows are often built and maintained by smaller teams with less rigorous review than the institution's flagship site. This pattern recurs across recent claims tracked on this site, including the University of Northeastern Philippines XSS finding (April 23, 2026) on a maritime-education subdomain, and the La Union colleges defacements (March 29, 2026).
  • Cybersecurity-program target dynamic. The actor's framing — calling out a cybersecurity-marketing institution for its own insecure infrastructure — is not unique to this incident, but it is rhetorically arresting and likely to draw further attention from other actors. Institutions that publicly market cybersecurity expertise may attract follow-on probing on the assumption that a successful breach against them is a higher-prestige target.

What Is Not Known

  • Whether the figures are accurate. The 200,100 / 4,044 numbers are the actor's own claim. They cannot be independently verified from the public post alone.
  • Which subdomain was affected. The actor did not name the subdomain in the public post.
  • Access vector and dwell time. The actor explicitly refused to disclose the technical method.
  • Whether the institution is aware. No public statement has been observed; whether the institution's IT/security function has been notified privately is not known.
  • Whether the data is already being trafficked. The post references base64-encoded download links pointing to a paste-text service and a file-sharing host. The contents of those links have not been examined for the purposes of this entry; the existence of the links alone, however, indicates a credible distribution path.

Recommended Actions for the Institution

  1. 1.Treat the breach claim as credible until independently disproved. Begin incident response immediately — do not wait for the technical access vector to be confirmed before assuming compromise of the named portal.
  2. 2.Inventory subdomains and shut down or re-authenticate the affected portal. Document-upload portals built outside the main web property are frequent weak points and should be enumerated and audited as a class, not just the one the actor addressed.
  3. 3.Rotate credentials broadly. If a portal handling student PII has been compromised, assume any credentials, API keys, and session secrets used by that subsystem are exposed. Rotate, and force re-authentication for affected user populations.
  4. 4.Notify the National Privacy Commission within 72 hours. Republic Act No. 10173 (the Data Privacy Act) and NPC Circular No. 16-03 set a 72-hour notification window for breaches involving sensitive personal information. With the document categories enumerated by the actor, the materiality threshold is plainly met.
  5. 5.Notify affected students. Each student whose government-issued IDs, birth certificate, transcript, or other documents have been potentially exposed should be informed individually so they can monitor for identity-fraud follow-on, request replacement IDs, and enable additional vigilance on government and financial accounts.
  6. 6.Engage a forensic firm. Determining the access vector, dwell time, and full scope of exfiltration requires log analysis and infrastructure review beyond what the institution's in-house team can typically perform under time pressure.
  7. 7.Issue a public advisory. Per the SchoolBreach.org methodology, a same-day or next-day institutional advisory — even if details are still being investigated — converts the institution from object to subject in the public narrative. The contrast example on this site is the Assumption College of Davao ICTC advisory, which strengthened rather than damaged that institution's reputation.
  8. 8.Audit the document-collection pipeline. A student portal that aggregates seven categories of government IDs alongside academic and civil-status records is concentrating identity-fraud risk in one location. Examine whether all of these documents must be stored centrally and indefinitely, or whether retention windows, separation of stores, or off-portal verification flows could reduce the blast radius of any future breach.

How to Prevent This Pattern

  1. 1.Apply data minimization to student-requirement collection. Many of the 15 document categories enumerated by the actor are likely collected once at admission and never required again. If a document is needed only for one-time verification, it should not be retained indefinitely in an online portal.
  2. 2.Separate document storage from web-portal application logic. Store uploaded documents in an object store (S3, Azure Blob, etc.) with short-lived, signed-URL access — never with direct, persistent public URLs and never inside the same database as the application's session and user tables.
  3. 3.Encrypt at rest with per-tenant or per-student keys. Even if a database is exfiltrated, per-record encryption with a key-management service raises the cost of bulk decryption.
  4. 4.Inventory and harden subdomains as a class. A central IT function should maintain an inventory of every subdomain on the institution's `.edu.ph` domain, with named owners, last-review dates, and stack-of-record information. Subdomains without owners should be deprecated.
  5. 5.Apply authentication and rate limiting to admin endpoints. Subdomain portals frequently expose unauthenticated admin endpoints inherited from legacy templates or open-source CMS installations.
  6. 6.Use modern frameworks with built-in CSRF, output escaping, and parameterized queries. The classic stack for student-requirements portals in the Philippines — PHP + jQuery + manual MySQL — is exactly the stack where SQL injection, stored XSS, and IDOR bugs proliferate.
  7. 7.Publish a security contact and responsible-disclosure policy. Researchers and would-be ethical actors should have a private channel; absent one, they have only the public-Facebook-post channel that produces incidents like this one.
  8. 8.Run external attack-surface management on a recurring basis. Free or commercial services that crawl your own subdomains and check for exposed admin panels, expired TLS certificates, and known-vulnerable software versions can catch the same issues that opportunistic actors are scanning for.
private universityIT-focused institutionstudent recordsidentity documentssubdomain compromisedatabase leakQuantum Security GroupQSGch4nc3ll0rxFacebookhacktivismunverifiedunconfirmed2026

Related Incidents

Critical

A private medical college in Cebu City

June 24, 2026

Critical

A private Catholic university in Mindanao

June 2, 2026

Critical

A state university in Mindanao

May 10, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources