DWK Investigates USC Data Breach; Phishing Emails Suspected
Deep Web Konek (DWK) is investigating a data breach reportedly affecting the University of San Carlos (USC). Based on information from Today’s Carolinian, early indications suggest that phishing emails were the primary cause of the incident.
A listing on a cybercrime forum claims to contain over 155,000 student records from USC’s official student management system (ismis.usc.edu.ph). The leaked data reportedly includes full names, places of birth, residential addresses, learner reference numbers (LRN), and dates of birth.
USC’s Information Resource Management Office (IRMO) confirmed that suspicious emails were circulating among students. These messages demanded urgent action and were identified as phishing-based extortion attempts. IRMO advised students to delete the emails, avoid clicking any links, and immediately change their account passwords.
https://iili.io/KHqKv5B.jpg
DWK was able to gather possible related information showing that the Protonmail account used by the extortionist was registered around August 4–5, 2025. Shortly after, on August 6, a post appeared on an underground forum discussing potential vulnerabilities, including IDOR, outdated ASP.NET components, and an old jQuery version. This suspicious forum post may suggest a possible technical exploitation, though DWK’s investigation is limited and cannot fully verify the connection. DWK advises that USC’s IT Department review these vulnerabilities as a precautionary measure.
https://iili.io/KHqd3EQ.png
In a separate forum post, the same user shared information regarding their continued access to a server within USC’s systems. They boasted about creating a “campus botnet” to steal browser passwords and financial details, hinted at selling files, and admitted that part of the post was “for the media,” confirming the scare tactic observed by IRMO.
https://iili.io/KHqxJ1e.png
This combination of phishing emails and suspicious forum activity points to a layered incident, with phishing as the main factor and a possible technical angle that remains unverified.
DWK will continue monitoring underground forums and tracking the potential sale or distribution of stolen data. The investigation remains active.
