FulcrumSec leaks Global Schools Foundation data, exposing 33,000+ children's and parents' passports

On 10 June 2026, the data-extortion group FulcrumSec — a relatively new ransomware-style crew that relies on theft and public leaks rather than encryption — listed Global Schools Foundation (GSF) on its leak site and dumped what it described as roughly 4.8 terabytes of data stolen from the Singapore-based education group. GSF, through its operating arm Global Schools Group (GSG), runs a network of international school brands and more than 60 campuses across India, Malaysia, Cambodia, Japan, Saudi Arabia, Singapore, South Korea, the Philippines, and the United Kingdom, making the breach one of the most consequential education-sector incidents of the year by the sheer sensitivity of the data involved.

What happened

According to FulcrumSec's account, the group first gained a foothold via database credentials that were never rotated after an earlier breach in 2022 — the same MongoDB passwords reportedly remained valid in 2026. Using that access, the attackers say they exfiltrated data over roughly a week beginning in April 2026, and that the intrusion went unnoticed; in their telling, the organisation would likely never have learned of it had FulcrumSec not made contact. The data was published after a ransom negotiation collapsed, with the group complaining to DataBreaches.Net that the victim's negotiator had behaved "bizarrely" before talks failed.

The exposed material is unusually sensitive because so much of it concerns minors. FulcrumSec claims the trove includes 33,088 passport numbers belonging to children and their parents across 66 nationalities, along with attendance records, teacher passwords, and photos of campus visitors — and around 9.4 million internal messages spanning 2006 to 2024.

Impact

• FulcrumSec claims to have exfiltrated roughly 4.8 TB of data from Global Schools Group.
• The leak reportedly includes 33,088 passport numbers of children and parents across 66 nationalities.
• Around 9.4 million internal messages (2006–2024) are said to be part of the dataset, alongside attendance records and credentials.
• Initial access is attributed to MongoDB credentials left unchanged since a 2022 breach.
• The data was published after ransom negotiations failed; no payment is known to have been made.

Why it matters

Schools sit on some of the richest personal data anywhere — full identity documents, family relationships, and years of records on children who cannot meaningfully consent or protect themselves — and a leak of tens of thousands of minors' passports is the kind of exposure that can enable identity fraud for a decade or more. The incident is also a stark lesson in basic hygiene: if FulcrumSec's account holds, the entire breach traces back to credentials that were known to be compromised in 2022 and simply never changed, leaving a global school network's most sensitive records reachable years later with old keys.