File photo

Far Eastern University (FEU) Information Technology Services (ITS) has been taking different measures to secure stakeholder’s data after the hacking of Student Portal.

After incident reports, ITS disabled the Student Portal's public URL address and advised the students to change their passwords while investigation is ongoing.

“As an immediate response to this alleged intrusion of the Student Portal, we disabled its public URL address. ITS prompted all FEU students to change their passwords in their other FEU accounts as an initial security measure,” IT Head Victorino Tolosa II told FEU Advocate.

Upon verification, Tolosa confirmed the post included names of 44 existing FEU students with student ID, name, postal address, FEU email address, student portal password, birthday, program, and contact number.

Students identified in the uploaded link were directly contacted through their Microsoft Outlook and Canvas accounts.

The message read, “We regret to inform you that you are receiving this message because your personal information was compromised in an attack on FEU student portal last June 17, 2020.”

The University filed a report to the National Privacy Commission (NPC) upon receipt of reports and was acknowledged a day after, assigning the University with corresponding reference of NPC BN No. 20-105.

Together with the NPC-accredited third-party cybersecurity service provider, ITS is in the process of strengthening the “vulnerability” of the Student Portal and hardening application security.

Hacking incident

On June 17 about 1:00 am, ITS received reports regarding an online post containing personal data of at least 500 FEU students on a “pastebin” website.

Tolosa furthered, the hackers used a Structured Query Language (SQL) injection attack known to execute malicious SQL statements which control a database server behind a web application.

Prior the incident, a report from Philippine News (PhilNews) released last June 4 claimed an alleged breach of 300,000 students and faculty members’ data including SSS, PAGIBIG, and TIN accounts.

Tolosa did not confirm nor deny the alleged incident as it is still under investigation. He added that the FEU Data Privacy Office will release additional information to keep the students informed and updated.

“The FEU Data Privacy Office will also be releasing FAQs so we can collectively combat this digital challenge,” Tolosa ended.

- Dianne M. Romero and Janna Mae Bobier