What Happened
On August 21, 2025, cybersecurity firm Brinztech reported a significant data breach impacting the University of San Carlos (USC), a prominent educational institution in Cebu City, Philippines. The leak involves two large sets of student data totaling 1.42GB, including complete permanent academic records.
This was one of three Philippine universities breached within a single week in August 2025, alongside Naga College Foundation and UP Mindanao.
Data Exposed
The compromised data is separated into two categories:
Partial Student Records (155,300 records):
- Full student names
- Places of birth
- Home addresses
- Learner Reference Numbers (LRN)
- Dates of birth
Complete Academic Records (11,877 records):
- Full Form 137 files — in the Philippines, a Form 137 is a student's permanent and official academic transcript containing a comprehensive history of their grades and personal details
Why This Breach Is Critical
The exposure of Form 137 documents makes this one of the most damaging school breaches in the Philippines:
- Lifelong identity theft risk — Form 137 contains a lifetime of personal and academic data. Unlike passwords that can be reset, a permanent academic record cannot be changed. Criminals can use this data for sophisticated identity theft for years to come
- Fraudulent academic credentials — leaked Form 137s could be used to create counterfeit academic records for employment fraud, professional licensing, or university admissions
- Large-scale phishing — 155,300 partial records with names, addresses, and birth dates provide a massive target list for phishing and fraud campaigns
- Data Privacy Act violation — the scope of this breach likely triggers a mandatory NPC investigation and significant penalties under Philippine law
How This Attack Likely Works
A breach of this scale (1.42GB across two data categories) suggests:
- Database compromise — the attacker gained direct access to the university's student records database, likely through SQL injection, compromised credentials, or an unpatched vulnerability
- Document storage access — the Form 137 files indicate the attacker also accessed a file storage system where digitized academic records are kept, suggesting broader system compromise beyond just the database
- Prolonged access — extracting 1.42GB of organized data suggests the attacker had sustained access rather than a quick grab
Institutional Response
On August 22, 2025, the USC Supreme Student Council (SSC) issued a public advisory on social media (@ssc_usc) stating that the incident "extends beyond the scope of phishing and ransomware schemes, as previously stated by the administration" and confirmed "a significant data breach has occurred, resulting in the exposure of thousands of Carolinians' private information online." The SSC said it had formally communicated with the administration and was awaiting their official response. It urged all Carolinians — including alumni who may also be affected — to take precautionary steps to safeguard their digital security.
The University's Information Resource Management Office (IRMO) noted that the data being circulated appears to be in PDF form and did not originate directly from the University's core database systems. While IRMO stated there was no indication of unauthorized direct access to the databases, it confirmed it was actively investigating and monitoring the situation. Affected individuals were advised to report any suspicious activity to ict-incident@usc.edu.ph.
How to Prevent This
- 1.Encrypt sensitive documents at rest — Form 137s and other official records should be encrypted in storage so they are unreadable even if the storage system is compromised
- 2.Implement strict access controls for academic records — only authorized registrar staff should be able to access Form 137 files, with full audit logging of every access
- 3.Separate document storage from web-facing systems — keep digitized academic records on isolated storage systems that are not directly accessible from the internet or the web application
- 4.Deploy data loss prevention (DLP) tools — monitor for and block large file transfers or bulk data exports from student records systems
- 5.Conduct regular vulnerability assessments — test all student-facing and registrar systems for SQL injection, authentication bypass, and other common vulnerabilities
- 6.Tokenize sensitive identifiers — where possible, use tokenized references instead of storing raw LRNs, birth dates, and addresses in application databases
- 7.Notify affected students promptly — comply with the Data Privacy Act's 72-hour notification requirement and advise students to monitor for identity theft
Sources & References
All sources are independently verified. Access dates and archive links are recorded for each citation.
- [1]Brinztech — Brinztech Alert: 155k student records from the University of San Carlos leaked (Aug 21, 2025)
- [2]Deep Web Konek — University of San Carlos data breach exposes over 155,000 student records
- [3]USC Supreme Student Council (@ssc_usc) — USC SSC Data Breach Advisory (Aug 22, 2025) — confirmed the breach extends beyond phishing/ransomware, urged Carolinians and alumni to secure their digital accounts, and advised reporting suspicious activity to ict-incident@usc.edu.ph