Brinztech Alert: “Frateran” Surabaya School (Indonesia) Breached; 80k Student & Parent Database (PII, NIK) For Sale

Dark Web News Analysis

The dark web news reports the alleged sale of a database from SMA Katolik Frateran Surabaya, a prominent Catholic high school in Surabaya, Indonesia. The attacker claims to be selling a database of 80,000 lines from the school’s information system, identified by the domain fis.frateran.sch.id. The sale is being conducted via a hacker forum, with communications handled through Telegram.

Based on the source (an Indonesian school information system), the 80,000-line database is inferred to contain a “goldmine” of interconnected PII for students and their parents/guardians, including:

• Student PII: Full Names, Dates of Birth, Addresses, Phone Numbers.
• Parent/Guardian PII: Full Names, Phone Numbers, Occupations.
• National IDs (CRITICAL): NIK (Nomor Induk Kependudukan) for both students and parents.
• School IDs: NISN (Nomor Induk Siswa Nasional).
• Academic/Financial Data: Grades, disciplinary records, and potentially tuition payment status.

Key Cybersecurity Insights

This is a high-severity data breach with severe, immediate implications for the students and their families. The primary threat is targeted financial fraud.

1. “Pinjol” Fraud Goldmine (NIK Leak): This is the #1 immediate threat in the Indonesian context. The leak of parent and student NIK (National ID) numbers is a “full kit” for identity theft. Attackers will use this data to apply for high-interest, predatory online loans (known as “pinjol” or “pay-later” fraud) in the parents’ names.
2. IMMEDIATE Risk: Hyper-Targeted Vishing/Phishing: The attacker now has the perfect social engineering script by leveraging the “parent-child-school” relationship.
   • The Scam: “Hello [Parent’s Name], this is the SMA Frateran billing office. Our records show your child, [Student’s Name], has an outstanding tuition fee. To avoid suspension, please pay immediately at [phishing link]…”
   • This scam will be extremely effective because it uses real, verifiable data, creating panic and trust to steal bank credentials or e-wallet (OVO/GoPay) funds.
3. Risk to Minors (Sensitive Data): This is a breach of a vulnerable population (minors). The leak of their PII, academic records, and (potentially) disciplinary status is a catastrophic privacy violation.
4. Severe Regulatory Failure (Indonesia – UU PDP): This is a severe breach of Indonesia’s Personal Data Protection Law (UU PDP).
   • The school (as the “Data Controller”) is legally required to report this breach to the Data Protection Authority (Kominfo/BSSN) “without undue delay” (typically within 72 hours).
   • The leak involves the “sensitive personal data” of minors, which will attract the highest level of fines and regulatory penalties.

Mitigation Strategies

This is a parent-focused fraud and identity theft emergency. The response must be immediate and public.

For SMA Katolik Frateran Surabaya (The School):

• Immediate Investigation: (As suggested) Launch a full forensic investigation to confirm the leak from fis.frateran.sch.id and find the vector (e.g., SQL injection, exposed database).
• MANDATORY: Regulatory Reporting: Report this incident to Kominfo/BSSN immediately to comply with the 72-hour UU PDP deadline.
• MANDATORY: Force Password Reset: (As suggested) Immediately force a password reset for all student, parent, and staff accounts on the portal.
• CRITICAL: URGENT Public Warning: Immediately send an official, secure communication (e.g., via a known-safe portal, not a new email) to all parents. This warning must be transparent about the NIK and PII leak and the specific, high risk of vishing/WhatsApp scams related to tuition payments.

For Affected Parents & Staff:

• Vishing/Phishing Alert: TRUST NO ONE. Assume all unsolicited calls, texts, or WhatsApp messages from “SMA Frateran” are SCAMS, even if they know your child’s full name. NEVER click links or send payment. HANG UP and call the school’s official administrative number yourself.
• Monitor Finances: (For Parents) Proactively monitor your bank accounts, e-wallets, and credit status for any signs of fraudulent “pinjol” (loan) applications.
• Change Reused Passwords: If your school portal password was reused anywhere else (bank, email, Tokopedia), that account is now compromised. Change it immediately.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on threat intelligence from a dark web forum. A breach of a school, involving the PII and NIKs of minors and their parents, is a severe event that enables mass identity theft and targeted fraud. Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com