Back to Breach Tracker
Unauthorized Access
MediumResolved

Polytechnic University of the Philippines (PUP)

PUP's Student Information System (SIS) was hacked by the Pinoy Grayhats group as part of a wave of attacks targeting Philippine university portals in June 2020. PUP stated no sensitive data was compromised.

June 17, 2020Manila, NCRUnknown records affected

Key Facts

Date of Incident
June 17, 2020
Date Discovered
June 17, 2020
Records Affected
Unknown
Source
Manila Bulletin
Data Types Exposed
Student personal dataStudent information system records
Response / Action Taken

PUP ICTO investigated and strengthened security. NPC notified. Students advised to change passwords.

What Happened

The Polytechnic University of the Philippines (PUP) confirmed on June 18, 2020, that its Student Information System (SIS) was hacked. The attack was attributed to the hacker group "Pinoy Grayhats," the same group responsible for the FEU breach and attacks on multiple other Philippine schools that month.

PUP's Information and Communications Technology Office (ICTO) conducted an initial probe and stated that no "sensitive" user information was compromised, despite some student personal data being leaked.

How This Attack Works

The Pinoy Grayhats targeted student information systems with web application vulnerabilities — the same attack pattern used against FEU and other schools that month. Student portals built in-house by university IT departments often lack the security hardening of commercial software, making them vulnerable to common web attacks like SQL injection and authentication bypass.

PUP's case is notable because the university had a prior breach in 2018 (NPC Case BN 18-222), which was only formally closed in February 2023. This suggests that systemic security weaknesses persisted even after the first incident.

Broader Context

PUP was one of over 20 Philippine schools targeted by hackers in June 2020 alone. Other schools in the wave included FEU, San Beda University, Cebu Normal University, Tarlac Agricultural University, University of Mindanao, AMA University, and Bulacan State University.

The attacks highlighted the vulnerability of Philippine educational institutions as they transitioned to online learning during the COVID-19 pandemic.

Response

PUP's ICTO determined the extent of the breach and strengthened the information system's security features. The university informed the National Privacy Commission and advised students to change their passwords and take precautionary measures.

How to Prevent This

  1. 1.Schedule annual penetration tests — have external security professionals test your student portals at least once a year, and after any major code changes
  2. 2.Separate public-facing portals from internal databases — use an API layer between the web application and the database so the portal never has direct database access
  3. 3.Implement real-time intrusion detection — deploy tools like OSSEC or Suricata that alert when someone is probing your systems for vulnerabilities
  4. 4.Learn from prior incidents — if your school has been breached before, conduct a root cause analysis and verify that all identified vulnerabilities have been fixed
  5. 5.Consider using established SIS platforms — instead of maintaining custom-built portals, evaluate commercial or open-source student information systems that receive regular security updates
  6. 6.Implement Web Application Firewall (WAF) — a WAF can block common attack patterns like SQL injection and XSS before they reach your application

Sources & References

  1. [1]
    Manila Bulletin PUP, FEU probe hacking of student portals (June 19, 2020)
  2. [2]
    Manila Bulletin Anatomy of a hack: How hackers breached vulnerable PH schools (July 1, 2020)
  3. [3]
    PUP Official (Facebook) PUP official statement on the hacking incident
  4. [4]
    GitHub (ajdumanhug/gothacked) Registry of Philippine school hacking incidents — PUP Sta. Mesa listed June 18, 2020 by Pinoy Grayhats
  5. [5]
    PUP Official Announcement PUP-ICTO official disclosure on the SIS security incident (June 18, 2020)
PUPstudent portalPinoy GrayhatsNPCManila