GlobalLogic Hit by Cl0p Ransomware Following Oracle EBS Breach
▼ Summary
– GlobalLogic notified 10,471 current and former employees that their data was compromised in a large-scale extortion campaign targeting its Oracle EBS platform.
– The breach resulted from a zero-day exploit in Oracle EBS, which GlobalLogic uses for core business functions like HR and finance, and was patched after data was exfiltrated on October 9, 2025.
– Compromised personal information includes names, addresses, phone numbers, email, date of birth, passport details, Social Security Numbers, salary, and bank account information.
– The exposed data poses a significant risk for phishing campaigns and identity fraud, as it provides threat actors with extensive personal and financial details.
– The Cl0p threat group is suspected behind the campaign, with Google noting dozens of victims and public identification of Harvard University and Envoy Air as other affected organizations.
GlobalLogic, a major US-based software firm owned by Hitachi, has alerted thousands of current and former employees that their personal information was stolen in a significant data breach. The incident, which affected the company’s Oracle E-Business Suite (EBS) platform, was disclosed in a notification letter submitted to the Office of the Maine Attorney General. A total of 10,471 individuals were informed that their sensitive HR and financial details may have been accessed by unauthorized parties.
According to the notification, Oracle released a security advisory on October 4, 2025, regarding a previously unidentified zero-day vulnerability. GlobalLogic relies on Oracle EBS, a suite of integrated applications, to manage essential business operations including finance, human resources, and accounting. The company stated that it launched an immediate investigation after learning of the security flaw and confirmed that its Oracle instance had been compromised. Although the vulnerability was patched promptly, the investigation revealed that data exfiltration occurred on October 9, 2025.
Oracle had initially signaled that threat actors were likely exploiting vulnerabilities as early as October 2, with Google’s Mandiant unit confirming the activity days later. The stolen data includes a wide range of personally identifiable and financial information. Exposed details encompass employee names, addresses, phone numbers, email addresses, dates of birth, nationality, passport information, Social Security numbers, salary data, and bank account and routing numbers. Emergency contact information was also among the compromised records.
This type of comprehensive personal and financial data presents a serious risk for follow-on attacks. Cybercriminals could leverage the stolen information to conduct highly convincing phishing campaigns, impersonate GlobalLogic or other trusted entities, or carry out identity fraud. While GlobalLogic has not confirmed whether the Cl0p ransomware group, the threat actor believed responsible, has made contact, Google has indicated awareness of dozens of affected organizations, with the final count potentially exceeding one hundred. To date, only Harvard University and Envoy Air have been publicly identified as additional victims in the same campaign.
(Source: InfoSecurity Magazine)
