Brinztech Alert: Alleged Database of MTs Nurul Jadid Probolinggo is on Sale (Student Financial Data)

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the alleged sale of a database belonging to MTS Nurul-Jadid Probolinggo (man2kabrembang.sch.id or similar affiliate domain). The dataset reportedly contains over 4,000 rows of student data from the 2024-2025 academic year and is being offered for a low price of $50.

Brinztech Analysis:

• The Target: MTs Nurul Jadid is a legitimate Islamic junior high school (Madrasah Tsanawiyah) located in Paiton, Probolinggo, East Java, affiliated with the prominent Nurul Jadid Islamic Boarding School.
• The Data: The leak is highly sensitive, reportedly containing:
  • Student PII: Names, Gender, Class, Addresses, NISN (National Student Identification Number).
  • Financial Data: Bank Account Details (Account Name, Bank Name, Account Number).
• The Threat: The inclusion of bank account details alongside NISN suggests this database might be related to the distribution of government educational assistance (like the Program Indonesia Pintar – PIP). The low price ($50) indicates the actor views this as a “volume” sale, making it accessible to low-level fraudsters who may target student aid funds.

Context: This incident aligns with the surge in cyberattacks targeting the Indonesian education sector in 2025. Schools are increasingly targeted because they manage sensitive financial aid data but often lack enterprise-grade cybersecurity defenses.

Key Cybersecurity Insights

This alleged data breach presents a specific threat to students and the school’s administration:

• Financial Fraud Risk (PIP/KIP): The exposure of bank account details linked to student IDs creates a direct risk of scholarship fraud. Attackers could potentially attempt to divert funds or use the data to impersonate school officials and demand “administrative fees” from parents to release aid.
• High Risk of Identity Theft: The NISN is a critical educational identifier in Indonesia. Combined with full names and birth/address data, it allows for synthetic identity fraud or the creation of fake student profiles for other scams.
• Regulatory Impact (UU PDP): This breach falls under Indonesia’s Personal Data Protection (PDP) Law (UU PDP). As a data controller, the school faces mandatory reporting requirements to the newly formed data protection authority. Failure to secure student banking data could result in significant administrative penalties.
• Low Barrier to Entry: The $50 price point means this data will spread rapidly. It is likely to be purchased by local scammers for “School Fee” phishing campaigns via WhatsApp.

Mitigation Strategies

In response to this claim, the school and the Ministry of Religious Affairs (Kemenag) must take immediate action:

• Immediate Parent Notification: The school must notify parents immediately. Warn them specifically about unsolicited calls or WhatsApp messages claiming to be from the school regarding scholarships or bank transfers.
• Secure Banking Data: If the school facilitates aid disbursement, it should work with the partner banks to flag the affected accounts for unusual activity.
• System Audit: Conduct a forensic investigation to determine the breach vector. It is likely an SQL Injection vulnerability in the student information system or a compromised administrative account.
• Data Minimization: Review why full bank account details were stored in an accessible format. Moving forward, sensitive financial data should be encrypted or tokenized.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com