Back to Breach Tracker
Unauthorized Access
HighUnder Investigation

St. Mary's College of Tagum, Inc. (SMCT)

Threat actor 'Crypt0nymz' from NullSec Philippines claimed to have bypassed St. Mary's College of Tagum's WAF and accessed the 'smct' database, exposing a grades table with student numbers, names, and grades. The attacker cited outdated web security and a debugger mode left enabled.

March 4, 2026Tagum City, Davao RegionUnknown records affected

Key Facts

Date of Incident
March 4, 2026
Date Discovered
March 4, 2026
Records Affected
Unknown
Source
NullSec Philippines (Facebook)
Data Types Exposed
Student numbersFirst namesLast namesGrades
Response / Action Taken

SMCT had previously attempted to update their portal after earlier warnings from the attacker. No official public response to this specific incident.

What Happened

On March 4, 2026, a threat actor using the handle Crypt0nymz, associated with NullSec Philippines (also linked to aliases 4rch4n63l and Fawkes Pilipinas), publicly posted on Facebook claiming to have breached the database of St. Mary's College of Tagum, Inc. (SMCT) in Davao Region.

The threat actor stated they had previously reported security issues to SMCT, and that the college had updated their portal in response. However, the attacker claimed the update was insufficient — they were still able to bypass the college's Web Application Firewall (WAF) and pull sensitive data "with zero effort."

The post included specific technical details about the compromised database:

  • Database Name: smct
  • Table: grades_2024_2
  • Columns: studno, firstname, lastname, grade

The attacker also noted that SMCT's web application had debugger mode enabled in production — a serious misconfiguration that exposes internal application details and can provide attackers with detailed error messages, stack traces, and system paths.

What Was Allegedly Exposed

  • Student numbers (studno)
  • First names and last names
  • Academic grades (from the 2024 second semester/term)

The threat actor claimed they could pull additional sensitive data but stated they would not go further with the exploitation: "I'm not your hired pentester."

Why This Breach Is Concerning

Several aspects of this incident are notable:

  • WAF bypass — the attacker specifically claimed to have bypassed SMCT's Web Application Firewall, suggesting the underlying application vulnerability was not fixed even after security updates were applied. A WAF alone cannot substitute for secure code
  • Debugger mode in production — leaving debug mode enabled exposes detailed error messages, database queries, and system internals to anyone who triggers an error. This is a well-known misconfiguration that significantly aids attackers
  • Repeat targeting — the attacker indicated this was not their first interaction with SMCT's systems, suggesting the college was aware of vulnerabilities but failed to fully remediate them
  • Grade data exposure — while names and student numbers are sensitive PII, the exposure of academic grades adds reputational and privacy harm for affected students

How This Type of Attack Works

Based on the details provided, this appears to be a SQL injection or similar database access vulnerability in SMCT's web portal:

  • SQL injection — the attacker may have injected malicious queries through input fields in the portal to directly query the smct database and extract the grades_2024_2 table
  • WAF bypass techniques — common methods include encoding payloads (URL encoding, Unicode, hex), using alternative SQL syntax, or exploiting WAF rule gaps. A WAF that is not properly tuned or uses only signature-based detection can be bypassed
  • Debug mode exploitation — with debugger mode enabled, error messages may reveal database table names, column names, query structures, and file paths — all of which make crafting SQL injection payloads significantly easier

Recommended Actions for SMCT

  1. 1.Immediately disable debug/debugger mode in production — this is the most urgent fix. Debug mode should never be enabled on a live system
  2. 2.Fix the underlying application vulnerability — a WAF is a defense-in-depth layer, not a fix. Identify and patch the SQL injection or access control flaw in the application code
  3. 3.Use parameterized queries / prepared statements — this eliminates SQL injection regardless of WAF effectiveness
  4. 4.Conduct a full security audit — given that the attacker claims to have bypassed defenses after an update, a comprehensive penetration test is needed
  5. 5.Review WAF configuration — ensure the WAF rules are properly tuned and updated. Consider switching to a more robust WAF solution if the current one is easily bypassed
  6. 6.Notify the NPC within 72 hours if the breach is confirmed, as required by the Data Privacy Act
  7. 7.Notify affected students — students whose grades and personal data may have been exposed should be informed
  8. 8.Implement proper access controls — ensure the web application's database user has minimal privileges (read-only on specific tables, not full database access)

Context

St. Mary's College of Tagum is a private educational institution in Tagum City, Davao del Norte. The threat actor specifically criticized the college for charging ₱30,000 in tuition while maintaining what they described as outdated and inadequate security infrastructure.

This is the second breach claimed by NullSec Philippines members on the same day (March 4, 2026), alongside the Colegio ng Lungsod ng Batangas incident, suggesting a coordinated campaign targeting Philippine educational institutions with known security weaknesses.

Sources & References

  1. [1]
    NullSec Philippines (Facebook) Original Facebook post by threat actor 'Crypt0nymz' claiming WAF bypass and database access at SMCT (March 4, 2026)
SMCTTagumDavaoNullsecPhilippinesWAF bypassSQL injectiongradesdebug modeunverified