GLOBAL Schools Group confirmed a breach that exposed personal data for more than 183 000 accounts, including passport and government ID numbers, after attackers linked to the group FulcrumSec infiltrated its network in April 2026. The incident affects students, parents and staff across the organisation’s twelve international school brands.
According to analysis published by databreaches.net, the attackers exfiltrated roughly 4.8 terabytes of information, comprising 33 088 passport numbers, 9.4 million internal messages and plaintext passwords for teaching staff. The data set also contains attendance records, job applicant files and a variety of confidential documents. No CVE identifiers have been associated with the intrusion, indicating the attackers likely used legitimate credentials or unpatched internal applications.
The breach impacted 83 132 student accounts, 88 856 parent accounts and 11 176 staff accounts, with the Global Indian International School (GIIS) brand suffering the largest share of the loss. Other affected brands include Overseas Family School (OWIS) and Glendale Academy, among the twelve operated by the Global Schools Foundation. Threat actors posted screenshots of the stolen data on underground forums, demonstrating the breadth of the compromise.
FulcrumSec has publicly criticised the victim’s negotiation tactics, claiming the organisation misrepresented facts during talks and displayed erratic behaviour. Following the disclosure, data protection regulators in Singapore and several other jurisdictions opened investigations, while GSG advised affected individuals to watch for identity theft and phishing attempts. As noted in a second databreaches.net article, the leak of passport numbers raises particular concern for cross‑border travel fraud and the potential creation of forged travel documents.
Defenders should begin by forcing a password reset for all accounts that may have been stored in plaintext and enable multi‑factor authentication wherever possible. Security teams need to review authentication logs for anomalous login attempts, especially from unfamiliar geographic locations, and block any suspicious IP addresses observed in the threat intel feeds. Organisations should also notify affected individuals promptly, offering credit monitoring and guidance on securing personal identification documents.
Beyond immediate credential hygiene, investigators recommend revisiting network segmentation to limit lateral movement between school‑brand systems and conducting regular tabletop exercises that simulate ransomware or data‑theft scenarios. Continuous monitoring for the FulcrumSec indicators of compromise, such as specific file hashes and command‑and‑control domains mentioned in the databreaches.net report, will help detect any follow‑on activity. Taking these steps can reduce the risk of further exposure and support compliance with the ongoing regulatory inquiries.
In the longer term, organisations should revisit their incident response plans to incorporate lessons learned from this breach, ensuring that communication templates for regulators and affected families are pre‑approved. Engaging an external forensic team to validate the eradication of attacker artifacts can provide assurance that no foothold remains. Finally, investing in regular security awareness training for staff and students helps reduce the risk of credential phishing, which remains a common entry point for threat actors targeting the education sector.