Single-source notice: This incident is based on two public posts by a self-identified threat actor. No mainstream news outlet has reported on it, no independent researcher has corroborated it, and the institution has not issued a public statement. The claim remains unverified and the institution's name has been redacted pending verification.
A link to a cloud-storage folder and an accompanying decryption key were included in the threat actor's second post. Neither is reproduced on this site, in line with the methodology of refusing to amplify breach distribution.
What Happened
On July 4, 2026, the Facebook account using the name Nullsec Philippines publicly posted addressing a state university in Metro Manila's admissions office by name, captioned "The applicants are being affected because of your negligence." The post attached a screenshot showing a grid of applicant photographs with filenames following a consistent admissions-batch numbering pattern, watermarked with the group's logo. The same screenshot included two smaller inset images: a post from a separate, unrelated hacking-forum account also using the handle "nostra," soliciting direct messages for a data sample, and a close-up of the group's own logo.
On July 5, 2026, roughly seven hours before this entry's screenshots were captured, the same account posted a follow-up addressed to the institution by name, captioned in Tagalog "happy to share with u [institution] kalahati lang pampagising sa developer" — loosely, "just half, enough to wake up the developer." The post included a link to a cloud-storage folder and a plaintext decryption key, and was signed "- Nostra." The attached image was a photo of the institution's official seal on a black background; no data screenshot accompanied this second post.
Both posts were public, drew modest engagement (roughly a dozen to twenty reactions and a handful of comments each), and remained visible on the group's page as of the time of this entry.
What the Posts Show
- A photo grid — the first post's screenshot displays dozens of individual headshot-style photographs, each named with a sequential filename that appears to encode an admissions batch and applicant number.
- A claim of a larger archive — the second post's caption asserts that the publicly shared folder is only half of what the threat actor holds, implying an additional, unreleased portion of the same dataset.
- A cross-platform presence — the inset screenshot in the first post shows a hacking-forum account using the same "nostra" handle, with a membership tenure of roughly ten months on that forum, soliciting private-message contact for a data sample. This indicates the persona operates a presence beyond the Facebook page tracked here.
- No credential or system-access claim — neither post describes an access vector, names an affected subsystem, or claims database or administrative-account compromise. The claim is limited to possession and redistribution of a set of applicant photographs.
Why the Methodology Treats This as 'Unconfirmed'
This entry is fully anonymized and tagged as 'Unconfirmed' because:
- The only public source is the threat actor's own Facebook posts — both posts originate from the same account and do not constitute independent corroboration of one another
- No corroborating media coverage has been observed
- No NPC finding is available
- No public statement has been issued by the institution
- The forum post referenced in the first screenshot is itself an unverified, uncorroborated claim by the same persona, not an independent source
If the institution issues a statement, if reputable Philippine technology media independently reports the claim, or if the NPC publishes a finding, this entry will be updated and de-anonymized in line with the SchoolBreach.org methodology.
Threat-Actor Persona and Cross-References
The second post is signed "- Nostra," the same sign-off style used in the St. Ignatius Technical Institute of Business and Arts Cabuyao Campus defacement claim (May 2, 2026), which was also a one-line Nullsec Philippines post signed identically. The handle "Nostra" and its variants ("N0STR4," "Nostra & Friends") recur throughout the Nullsec Philippines campaign documented on this site, including greetz lines on the state university in Nueva Vizcaya CAT applicant claim (May 1, 2026) and the private school in Rosario, Batangas claim (April 28, 2026).
This entry's subject matter — a public claim of exposed admissions-applicant photographs — most closely parallels the Nueva Vizcaya CAT-portal entry, though that earlier claim showed a single applicant's session while this one displays a larger batch grid with no visible session or portal chrome, making the underlying access vector (misconfigured storage versus an authenticated portal session) less clear from the public post alone.
Why This Claim Warrants Attention
- Bulk applicant imagery, not a single account. Unlike prior single-applicant claims tracked on this site, the screenshot here shows dozens of individuals at once, and the threat actor states more is withheld — if genuine, this points to exposure at the storage or batch-export level rather than a single compromised session.
- A stated intent to escalate. The "half now" framing in the second post signals the threat actor is deliberately staging a partial release, a pattern associated with pressuring an institution rather than a one-off disclosure.
- Applicants, not enrolled students, are affected. Prospective students who may have no other relationship with the institution yet are named as the affected population, widening the pool of individuals who would need to be notified if the claim is authentic.
- A cross-platform footprint. The same handle's presence on a separate hacking forum suggests the material may already be circulating, or being offered, outside the Facebook post visible here.
What Is Not Known
- Whether the photographs are authentic and current. No independent party has confirmed the images originate from the institution's admissions system rather than being recycled from an older or unrelated source.
- The access vector. Nothing in the public posts describes how the photographs were obtained — an exposed storage bucket, a compromised admissions-portal account, or a leaked internal export are all consistent with what has been shown.
- The true scope of the dataset. The claim that the shared folder is "half" of what is held is unverified and could be exaggerated for effect.
- Whether the institution is aware of the claim. No response, denial, or acknowledgment from the institution has been observed.
Recommended Actions for the Institution
- 1.Determine whether the admissions applicant-photo directory is or was exposed. Audit the storage location, hosting configuration, and access logs for the admissions system that generates or stores applicant photographs.
- 2.Preserve forensic evidence immediately. Capture logs, storage-access records, and any available object-versioning history before they age out of retention.
- 3.Audit third-party and developer access. The threat actor's own framing ("pampagising sa developer") suggests a vendor- or developer-managed system may be implicated; review any external contractor's access scope and credentials.
- 4.Notify the National Privacy Commission within 72 hours under RA 10173. The legal trigger is risk to personal data, not certainty of exfiltration — a claim involving applicant photographs of this scale meets that threshold.
- 5.Issue a same-day public advisory. Silence in the face of a public claim leaves the threat actor's framing as the only public narrative. The contrast example on this site is the Assumption College of Davao ICTC advisory.
- 6.Rotate credentials for any system that could plausibly generate or serve the affected images, including admissions-portal service accounts and any developer or vendor accounts with storage access.
- 7.Extend log retention to at least 90 days for the affected system given the apparent multi-week or longer dwell time implied by a bulk export of this kind.
- 8.Prepare applicant-facing communication in the event the claim is substantiated, given that applicants — not currently-enrolled students — are the affected population and may not otherwise expect to hear from the institution.
How to Prevent This Pattern
- 1.Treat admissions-applicant photo directories as sensitive personal data, not incidental assets, with the same access controls applied to grade or financial records.
- 2.Avoid predictable, sequential filename schemes for applicant-submitted images; sequential batch numbering makes bulk enumeration and scraping trivial once any single file is reachable.
- 3.Restrict developer and vendor access to production applicant data, using de-identified or synthetic data in development and staging environments instead.
- 4.Publish a security contact and responsible-disclosure policy. Researchers and even hacktivist actors default to public Facebook posts when there is no private channel to route a finding to.
- 5.Conduct periodic external exposure scans of storage buckets, admissions-portal endpoints, and developer-facing subdomains to catch misconfigurations before they are publicly disclosed.