SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Data Exposure
HighUnconfirmed

A state university in Metro Manila

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

Across two Facebook posts on July 4 and July 5, 2026, the threat-actor account 'Nullsec Philippines' addressed a state university in Metro Manila's admissions office directly, first sharing a screenshot of dozens of applicant photographs and then a follow-up post sharing a password-protected cloud-storage folder said to contain a larger set of the same. The posts framed the disclosure as a rebuke of the institution's security practices rather than an extortion demand. The institution has not issued a public statement, and this entry is recorded as 'unconfirmed' on the basis of a single threat actor's claim.

July 4, 2026Undetermined; a partial screenshot showed roughly 90 applicant photographs, and the threat actor's follow-up post claims the shared archive represents only 'half' of the full set held records affected

Key Facts

Date of Incident
July 4, 2026
Date Discovered
July 5, 2026
Records Affected
Undetermined; a partial screenshot showed roughly 90 applicant photographs, and the threat actor's follow-up post claims the shared archive represents only 'half' of the full set held
Source
Nullsec Philippines / Nostra (Facebook)
Data Types Exposed
Applicant photographs following an admissions-batch filename pattern (claimed)A larger archive of the same, offered via an encrypted cloud-storage folder with a separately-published decryption key (claimed, not independently verified)
Response / Action Taken

No public statement from the institution has been observed at the time of this entry. Status will be updated if and when the school, the National Privacy Commission, or independent reporting confirms the access vector, the authenticity of the claimed dataset, and remediation.

Single-source notice: This incident is based on two public posts by a self-identified threat actor. No mainstream news outlet has reported on it, no independent researcher has corroborated it, and the institution has not issued a public statement. The claim remains unverified and the institution's name has been redacted pending verification.

A link to a cloud-storage folder and an accompanying decryption key were included in the threat actor's second post. Neither is reproduced on this site, in line with the methodology of refusing to amplify breach distribution.

What Happened

On July 4, 2026, the Facebook account using the name Nullsec Philippines publicly posted addressing a state university in Metro Manila's admissions office by name, captioned "The applicants are being affected because of your negligence." The post attached a screenshot showing a grid of applicant photographs with filenames following a consistent admissions-batch numbering pattern, watermarked with the group's logo. The same screenshot included two smaller inset images: a post from a separate, unrelated hacking-forum account also using the handle "nostra," soliciting direct messages for a data sample, and a close-up of the group's own logo.

On July 5, 2026, roughly seven hours before this entry's screenshots were captured, the same account posted a follow-up addressed to the institution by name, captioned in Tagalog "happy to share with u [institution] kalahati lang pampagising sa developer" — loosely, "just half, enough to wake up the developer." The post included a link to a cloud-storage folder and a plaintext decryption key, and was signed "- Nostra." The attached image was a photo of the institution's official seal on a black background; no data screenshot accompanied this second post.

Both posts were public, drew modest engagement (roughly a dozen to twenty reactions and a handful of comments each), and remained visible on the group's page as of the time of this entry.

What the Posts Show

  • A photo grid — the first post's screenshot displays dozens of individual headshot-style photographs, each named with a sequential filename that appears to encode an admissions batch and applicant number.
  • A claim of a larger archive — the second post's caption asserts that the publicly shared folder is only half of what the threat actor holds, implying an additional, unreleased portion of the same dataset.
  • A cross-platform presence — the inset screenshot in the first post shows a hacking-forum account using the same "nostra" handle, with a membership tenure of roughly ten months on that forum, soliciting private-message contact for a data sample. This indicates the persona operates a presence beyond the Facebook page tracked here.
  • No credential or system-access claim — neither post describes an access vector, names an affected subsystem, or claims database or administrative-account compromise. The claim is limited to possession and redistribution of a set of applicant photographs.

Why the Methodology Treats This as 'Unconfirmed'

This entry is fully anonymized and tagged as 'Unconfirmed' because:

  • The only public source is the threat actor's own Facebook posts — both posts originate from the same account and do not constitute independent corroboration of one another
  • No corroborating media coverage has been observed
  • No NPC finding is available
  • No public statement has been issued by the institution
  • The forum post referenced in the first screenshot is itself an unverified, uncorroborated claim by the same persona, not an independent source

If the institution issues a statement, if reputable Philippine technology media independently reports the claim, or if the NPC publishes a finding, this entry will be updated and de-anonymized in line with the SchoolBreach.org methodology.

Threat-Actor Persona and Cross-References

The second post is signed "- Nostra," the same sign-off style used in the St. Ignatius Technical Institute of Business and Arts Cabuyao Campus defacement claim (May 2, 2026), which was also a one-line Nullsec Philippines post signed identically. The handle "Nostra" and its variants ("N0STR4," "Nostra & Friends") recur throughout the Nullsec Philippines campaign documented on this site, including greetz lines on the state university in Nueva Vizcaya CAT applicant claim (May 1, 2026) and the private school in Rosario, Batangas claim (April 28, 2026).

This entry's subject matter — a public claim of exposed admissions-applicant photographs — most closely parallels the Nueva Vizcaya CAT-portal entry, though that earlier claim showed a single applicant's session while this one displays a larger batch grid with no visible session or portal chrome, making the underlying access vector (misconfigured storage versus an authenticated portal session) less clear from the public post alone.

Why This Claim Warrants Attention

  • Bulk applicant imagery, not a single account. Unlike prior single-applicant claims tracked on this site, the screenshot here shows dozens of individuals at once, and the threat actor states more is withheld — if genuine, this points to exposure at the storage or batch-export level rather than a single compromised session.
  • A stated intent to escalate. The "half now" framing in the second post signals the threat actor is deliberately staging a partial release, a pattern associated with pressuring an institution rather than a one-off disclosure.
  • Applicants, not enrolled students, are affected. Prospective students who may have no other relationship with the institution yet are named as the affected population, widening the pool of individuals who would need to be notified if the claim is authentic.
  • A cross-platform footprint. The same handle's presence on a separate hacking forum suggests the material may already be circulating, or being offered, outside the Facebook post visible here.

What Is Not Known

  • Whether the photographs are authentic and current. No independent party has confirmed the images originate from the institution's admissions system rather than being recycled from an older or unrelated source.
  • The access vector. Nothing in the public posts describes how the photographs were obtained — an exposed storage bucket, a compromised admissions-portal account, or a leaked internal export are all consistent with what has been shown.
  • The true scope of the dataset. The claim that the shared folder is "half" of what is held is unverified and could be exaggerated for effect.
  • Whether the institution is aware of the claim. No response, denial, or acknowledgment from the institution has been observed.

Recommended Actions for the Institution

  1. 1.Determine whether the admissions applicant-photo directory is or was exposed. Audit the storage location, hosting configuration, and access logs for the admissions system that generates or stores applicant photographs.
  2. 2.Preserve forensic evidence immediately. Capture logs, storage-access records, and any available object-versioning history before they age out of retention.
  3. 3.Audit third-party and developer access. The threat actor's own framing ("pampagising sa developer") suggests a vendor- or developer-managed system may be implicated; review any external contractor's access scope and credentials.
  4. 4.Notify the National Privacy Commission within 72 hours under RA 10173. The legal trigger is risk to personal data, not certainty of exfiltration — a claim involving applicant photographs of this scale meets that threshold.
  5. 5.Issue a same-day public advisory. Silence in the face of a public claim leaves the threat actor's framing as the only public narrative. The contrast example on this site is the Assumption College of Davao ICTC advisory.
  6. 6.Rotate credentials for any system that could plausibly generate or serve the affected images, including admissions-portal service accounts and any developer or vendor accounts with storage access.
  7. 7.Extend log retention to at least 90 days for the affected system given the apparent multi-week or longer dwell time implied by a bulk export of this kind.
  8. 8.Prepare applicant-facing communication in the event the claim is substantiated, given that applicants — not currently-enrolled students — are the affected population and may not otherwise expect to hear from the institution.

How to Prevent This Pattern

  1. 1.Treat admissions-applicant photo directories as sensitive personal data, not incidental assets, with the same access controls applied to grade or financial records.
  2. 2.Avoid predictable, sequential filename schemes for applicant-submitted images; sequential batch numbering makes bulk enumeration and scraping trivial once any single file is reachable.
  3. 3.Restrict developer and vendor access to production applicant data, using de-identified or synthetic data in development and staging environments instead.
  4. 4.Publish a security contact and responsible-disclosure policy. Researchers and even hacktivist actors default to public Facebook posts when there is no private channel to route a finding to.
  5. 5.Conduct periodic external exposure scans of storage buckets, admissions-portal endpoints, and developer-facing subdomains to catch misconfigurations before they are publicly disclosed.
Metro ManilaNational Capital Regionstate universityadmissions portaldata exposureapplicant photosNullsecPhilippinesNostraFacebookhacktivismunverifiedunconfirmed2026

Related Incidents

Critical

A private Catholic university in Mindanao

June 2, 2026

Critical

A private medical college in Cebu City

June 24, 2026

Critical

A private IT-focused university chain in the Philippines

May 27, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources