GlobalLogic Alerts 10,000 Staff to Data Theft After Oracle Hack

GlobalLogic, a prominent digital engineering firm under the Hitachi umbrella, has issued data breach notifications to more than 10,000 current and former employees following a security incident involving Oracle’s E-Business Suite. The breach exploited a zero-day vulnerability within Oracle’s platform, allowing attackers to access and extract sensitive HR-related personal data.

Headquartered in Santa Clara, California, GlobalLogic was established in 2000 and has since grown to operate 59 product engineering centers and multiple global offices. In a formal notice submitted to the Maine Attorney General’s office, the company confirmed that unauthorized individuals leveraged a flaw in Oracle EBS to steal information affecting 10,471 individuals.

According to GlobalLogic’s investigation, the attackers gained entry into the Oracle system and removed data on October 9, 2025. The company promptly began preparing and distributing notifications to those impacted. The earliest signs of malicious activity date back to July 10, 2025, with the most recent intrusion occurring on August 20, 2025.

GlobalLogic emphasized that the breach was confined to its Oracle platform and did not compromise any other internal systems. The company also noted that, based on industry reports, it appears to be one of many Oracle clients affected by the same campaign. The stolen data originated from Oracle’s HR modules and included details of both current and former staff.

The compromised information covers a wide range of personally identifiable and financial data. This includes names, addresses, telephone numbers, and emergency contact details. Additionally, attackers obtained email addresses, dates of birth, nationalities, countries of birth, passport information, national or tax identifiers such as Social Security Numbers, salary details, and bank account information.

While GlobalLogic has not officially named the threat actor responsible, the incident bears the hallmarks of an extortion campaign by the Clop ransomware group. Since early August, Clop has been actively exploiting a specific Oracle EBS zero-day vulnerability, tracked as CVE-2025-61882, to steal confidential corporate data from numerous organizations.

Although Clop has not released a full list of victims, John Hultquist, chief analyst at Google Threat Intelligence Group, indicated that dozens of entities are believed to have been affected. The group has since listed Harvard University, Envoy Air, and The Washington Post on its Tor-based leak site, where stolen data from these organizations has been published and made available for download via torrent.

GlobalLogic has not yet appeared on Clop’s leak portal, suggesting the company may still be in negotiations with the attackers or has already met their demands. A spokesperson for GlobalLogic declined to comment on whether a ransom was demanded but acknowledged that the Clop gang is claiming responsibility for the attack.

Clop has a well-documented history of large-scale data theft campaigns, having previously targeted file transfer solutions including Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer. The MOVEit incident alone impacted more than 2,770 organizations globally.

In response to the ongoing threat posed by ransomware groups, the U.S. State Department is now offering a reward of up to $10 million for information that could connect Clop’s operations to a foreign government.

(Source: Bleeping Computer)