Brinztech Alert: 1,000 Student Records of SMK Negeri 5 Batam Leaked

Dark Web News Analysis

Cybersecurity intelligence from February 16, 2026, has identified a targeted data exposure event involving SMK Negeri 5 Batam, one of the largest vocational high schools in the Riau Islands. A threat actor operating under the alias MR-Zeeone-Grayhat has published a database on a well-known hacker forum, offering it for free to other cybercriminals.

The leaked dataset is highly intrusive, providing a “Fullz” profile for approximately 1,000 students. The dump reportedly includes:

• Sensitive PII: Full names, gender, and exact dates of birth.
• National Identifiers: NIK (National Identification Number) and NISN (National Student Identification Number).
• Family Metadata: Names of parents or guardians.
• Academic Data: Current class details and student registration information.

This incident follows a period of localized scrutiny for the school, including reports in July 2025 regarding alleged irregularities in the student admission process (PPDB), which may have exposed underlying administrative vulnerabilities.

Key Cybersecurity Insights

The breach of a secondary school database is a “Tier 1” threat that targets a demographic with limited awareness of digital security:

• Foundation for Lifetime Identity Theft: In Indonesia, the NIK is a permanent identifier used for everything from banking to government subsidies. Exposure of a student’s NIK and birthdate allows criminals to create fraudulent accounts or apply for predatory online loans (Pinjol) that may not be discovered until the student reaches adulthood.
• High-Fidelity “Parental” Phishing: Armed with the names of parents and their children’s specific classes, attackers can launch hyper-convincing Vishing (voice phishing) or SMS scams. They may impersonate school officials, citing the child’s real data to “verify” emergency situations or request fraudulent fees.
• Legal and Regulatory Escalation: Since the full enforcement of Indonesia’s Personal Data Protection (PDP) Law in October 2024, educational institutions are considered “Data Controllers.” Under the law, failure to protect Specific Personal Data (which includes children’s data) can result in administrative fines of up to 2% of annual revenue and criminal penalties for negligent officials.
• Industrialized Hacktivism: The actor MR-Zeeone-Grayhat appears to be engaging in “exposure for clout,” releasing the data for free to damage the school’s reputation. This type of hacktivism often serves as a signal for other, more financially motivated actors to exploit the now-public information.

Mitigation Strategies

To protect the student body and secure the academic digital perimeter, the following strategies are urgently recommended:

• Immediate Multi-Agency Notification: SMK Negeri 5 Batam must immediately notify the Provincial Education Office and the National Cyber and Crypto Agency (BSSN). Under the PDP Law, affected data subjects (parents and students) should be informed within 72 hours of the breach discovery.
• Enforce Password and Portal Overhaul: The school must force an immediate password reset for all administrative, teacher, and student portals. Implement Multi-Factor Authentication (MFA) for any portal that accesses student records to ensure a stolen password alone is insufficient for future breaches.
• Community Education Campaign: Conduct a “Cyber Safety” workshop for students and parents. Advise them to be hyper-vigilant against “urgent” WhatsApp or SMS messages referencing their NIK or school details, and to verify any “official” requests through a direct, known phone number.
• Infrastructure Hardening and GRC Audit: Perform a forensic audit of the school’s web-based student management systems. Many school leaks are the result of unpatched SQL Injection vulnerabilities or insecure API endpoints used for PPDB or grading systems.

Secure Your Future with Brinztech — Global Cybersecurity Solutions

From agile SMEs and global enterprises to national agencies, Brinztech provides the strategic oversight necessary to defend against evolving digital threats. We offer expert consultancy to audit your current IT policies and GRC frameworks, identifying critical vulnerabilities before they can be exploited. Whether you are protecting a local business or a government entity, we ensure your security posture translates into lasting technical resilience—keeping your digital footprint secure, your citizens’ data private, and your future protected.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com