What Happened
On August 21, 2025, cybersecurity firm Brinztech reported a significant data breach impacting the University of San Carlos (USC), a prominent educational institution in Cebu City, Philippines. The leak involves two large sets of student data totaling 1.42GB, including complete permanent academic records.
This was one of three Philippine universities breached within a single week in August 2025, alongside Naga College Foundation and UP Mindanao.
Data Exposed
The compromised data is separated into two categories:
Partial Student Records (155,300 records):
- Full student names
- Places of birth
- Home addresses
- Learner Reference Numbers (LRN)
- Dates of birth
Complete Academic Records (11,877 records):
- Full Form 137 files — in the Philippines, a Form 137 is a student's permanent and official academic transcript containing a comprehensive history of their grades and personal details
Why This Breach Is Critical
The exposure of Form 137 documents makes this one of the most damaging school breaches in the Philippines:
- Lifelong identity theft risk — Form 137 contains a lifetime of personal and academic data. Unlike passwords that can be reset, a permanent academic record cannot be changed. Criminals can use this data for sophisticated identity theft for years to come
- Fraudulent academic credentials — leaked Form 137s could be used to create counterfeit academic records for employment fraud, professional licensing, or university admissions
- Large-scale phishing — 155,300 partial records with names, addresses, and birth dates provide a massive target list for phishing and fraud campaigns
- Data Privacy Act violation — the scope of this breach likely triggers a mandatory NPC investigation and significant penalties under Philippine law
How This Attack Likely Works
A breach of this scale (1.42GB across two data categories) suggests:
- Database compromise — the attacker gained direct access to the university's student records database, likely through SQL injection, compromised credentials, or an unpatched vulnerability
- Document storage access — the Form 137 files indicate the attacker also accessed a file storage system where digitized academic records are kept, suggesting broader system compromise beyond just the database
- Prolonged access — extracting 1.42GB of organized data suggests the attacker had sustained access rather than a quick grab
How to Prevent This
- 1.Encrypt sensitive documents at rest — Form 137s and other official records should be encrypted in storage so they are unreadable even if the storage system is compromised
- 2.Implement strict access controls for academic records — only authorized registrar staff should be able to access Form 137 files, with full audit logging of every access
- 3.Separate document storage from web-facing systems — keep digitized academic records on isolated storage systems that are not directly accessible from the internet or the web application
- 4.Deploy data loss prevention (DLP) tools — monitor for and block large file transfers or bulk data exports from student records systems
- 5.Conduct regular vulnerability assessments — test all student-facing and registrar systems for SQL injection, authentication bypass, and other common vulnerabilities
- 6.Tokenize sensitive identifiers — where possible, use tokenized references instead of storing raw LRNs, birth dates, and addresses in application databases
- 7.Notify affected students promptly — comply with the Data Privacy Act's 72-hour notification requirement and advise students to monitor for identity theft
Sources & References
- [1]Brinztech — Brinztech Alert: 155k student records from the University of San Carlos leaked (Aug 21, 2025)
- [2]Deep Web Konek — University of San Carlos data breach exposes over 155,000 student records