MANILA, Philippines – A still unidentified hacker has infiltrated the online student portal of San Beda University (SBU), gaining access to personal information and social media passwords of thousands of students and apparently releasing them online.

“We discovered an incident where your email address and password, as used in the student portal was accessed by an unknown entity, purporting to be a hacker, and illegally released the same publicly via social media platform Twitter,” SBU said in a statement to its community on Saturday, June 6.

The student portal is where SBU students view their grades and input their personal information for enrollment. Before the hack was confirmed, the student portal was defaced to flashing a threat from the hacker against SBU.

“Greetings San Beda University! Do we have your attention now? We’re expecting from you. Don’t try to provoke us. This message may serve as a warning,” the message showed on June 4, accompanied by a countdown towards an supposed “doomsday.”

What leaked? According to SBU, the hacker has gained access to personal data of its users, including the following:

• Full name of students, guardians, and faculty
• Birthday of students
• Addresses of students and guardians
• Passwords and email addresses
• Contact numbers of students and guardians
• Student grades
• Student identification number
• Student course
• Previous schools attended by student
• Statement of accounts

How did it happen? SBU said the apparent hacker got through the system set up by the third-party company that SBU had hired for their student portal, Princtech Company.

The intruder has simultaneously been sending out pharming links to trick members of the SBU community into sharing more personal information. (READ: The state of cybersecurity in the Philippines)

According to its website, Princetech is a Philippine company founded in 2002 to provide information technology services to the business and academic communities, and business process outsourcing firms in the Philippines.

Aside from over a dozen universities, it listed as one of its “valued customers” the government-run Philippine Information Agency. It also counted the Asian Development Bank, the Bank of the Philippine Islands, the Philippine Veterans Bank, Unionbank, and the Philippine Daily Inquirer as its “hardware clients.”

What now? SBU has reached out to the National Bureau of Investigation and the National Privacy Commission to probe the breach, demanded Princetech to explain, and hired IT experts to audit the system and recommend a redesign.

The university called on its community to change all the passwords of all their online accounts, and enable two-step authentication. It added, “if possible, [we] recommend that you delete the same and create new accounts.”

SBU apologized and vowed to exhaust all efforts to protect the data of its community . – Rappler.com