Back to Breach Tracker
Unauthorized Access
CriticalResolved

San Beda University (SBU)

A hacker defaced San Beda University's student portal with a 'Doomsday' countdown and exfiltrated approximately 400,000 user credentials stored in plaintext logs, including students, parents, faculty, and alumni. The NBI arrested the 21-year-old hacker.

June 4, 2020Manila, NCR400,000+ records affected

Key Facts

Date of Incident
June 4, 2020
Date Discovered
June 2, 2020
Records Affected
400,000+
16 GB total
Source
Rappler
Data Types Exposed
Student namesBirthdaysPostal addressesEmail addressesStudent gradesStatements of accountUser credentials (plaintext)Parent informationFaculty informationAlumni information
Response / Action Taken

SBU reported to NBI and NPC. Hacker arrested. Independent security audit commissioned. Community advised to reset passwords and enable MFA.

What Happened

On June 2, 2020, IT administrators at San Beda University (SBU) detected penetration of their web servers hosting the student portal (sis.sanbeda.edu.ph). On June 4, users trying to access the portal were met with a message reading "Server Pawned" along with a "Doomsday" countdown timer set for approximately 7 days.

The unknown hackers republished the "Doomsday" countdown on June 5, after the university attempted to restore the portal.

How the Attack Happened

SBU stated the hacker got through the system set up by Princtech Company, the third-party vendor that developed their student portal. A critical flaw was discovered: the student portal had been logging all errors containing user credentials in clear text format. This allowed the attacker to obtain approximately 400,000 user logins between 2019–2020.

The attacker was also simultaneously sending out pharming links to trick members of the SBU community into sharing more personal information.

Data Exposed

  • Student names, birthdays, and postal addresses
  • Email addresses
  • Student grades and academic records
  • Statements of account (financial records)
  • Approximately 400,000 user credentials in plaintext — covering students, parents, faculty, and alumni from 2019–2020

Response

SBU took swift action:

  • Reported the breach to the National Bureau of Investigation (NBI) and the National Privacy Commission (NPC)
  • Demanded Princtech Company explain the security failure
  • Hired independent IT experts to audit the system and recommend a complete redesign
  • Called on the entire SBU community to change all passwords and enable two-step authentication
  • Issued a public apology

Arrest

The NBI launched a cybersurveillance operation after SBU filed a formal complaint. Through their investigation, the NBI identified the handler "@solus" — identified as John Raven Aquino, a 21-year-old who was the founder and leader of the Global Security Hacker Group (GSH). Aquino was arrested, making this one of the few Philippine school hacking cases to result in a criminal prosecution.

How to Prevent This

  1. 1.Never log credentials in plaintext — application error logs must never contain passwords, session tokens, or authentication data. Audit all logging configurations immediately
  2. 2.Audit third-party vendor security — before deploying any student portal, require the vendor to demonstrate secure coding practices, penetration test results, and compliance with security standards
  3. 3.Implement credential hashing — all passwords must be hashed with bcrypt, scrypt, or Argon2. If your vendor stores or logs passwords in plaintext, this is a contract-terminating security failure
  4. 4.Deploy Web Application Firewall (WAF) — to block common attack vectors before they reach the application
  5. 5.Enable multi-factor authentication (MFA) — even if credentials are compromised, MFA prevents unauthorized login
  6. 6.Report breaches to the NBI and NPC promptly — SBU's swift reporting led to the arrest of the hacker, demonstrating the value of coordinating with law enforcement
  7. 7.Conduct regular security audits of vendor-provided systems — do not assume third-party vendors maintain adequate security

Sources & References

  1. [1]
    Rappler Initial report: San Beda University student portal down after apparent hack (June 4, 2020)
  2. [2]
    Rappler Follow-up: San Beda seeks NBI and NPC help to track hacker; Princtech identified as vendor (June 7, 2020)
  3. [3]
    Rappler 'Doomsday' warning for San Beda University resurfaces (June 5, 2020)
  4. [4]
    Manila Bulletin San Beda student portal hacked — breach details, data types exposed, Princtech mention (June 7, 2020)
  5. [5]
    GMA News NBI arrests 21-year-old John Raven Aquino for allegedly hacking university website (June 28, 2020)
  6. [6]
    Rappler Amid investigation, alleged San Beda hackers release '16GB database of San Beda'
  7. [7]
    GitHub (ajdumanhug/gothacked) Registry of Philippine school hacking incidents — San Beda listed June 8, 2020
San Bedastudent portalNBI arrestplaintext credentialsManilaPrinctechNPC