University of Pennsylvania Discloses New Data Breach Following Oracle Hack
▼ Summary
– The University of Pennsylvania disclosed a new data breach where attackers exploited a zero-day flaw in its Oracle E-Business Suite servers in August 2025, stealing personal information.
– The breach is confirmed to have impacted at least 1,488 individuals, though the total number affected is likely larger and remains undisclosed by the university.
– This incident is part of a larger extortion campaign by the Clop ransomware gang, which has targeted nearly 100 organizations, including other Ivy League schools, using the same Oracle vulnerability.
– Penn has stated it found no evidence the stolen data has been publicly disclosed or misused, and it has patched the vulnerability as recommended by Oracle.
– The U.S. State Department is offering a $10 million reward for information linking Clop’s attacks to a foreign government.
The University of Pennsylvania has confirmed a significant data breach stemming from a widespread attack on Oracle’s financial software systems. This incident, linked to a critical security flaw, compromised personal information and highlights the persistent cybersecurity threats facing major institutions. The breach is connected to a known extortion campaign by the Clop ransomware gang, which has targeted numerous high-profile organizations using the same vulnerability.
Penn notified state authorities that attackers leveraged a previously unknown weakness, a zero-day flaw, within the Oracle E-Business Suite application. This unauthorized access occurred in August, leading to the theft of documents containing personal identifiers. While the university’s official filing with the Maine Attorney General cites 1,488 affected individuals, the actual number is believed to be substantially higher. The institution has not publicly detailed the exact count or the specific types of personal data taken.
In a statement, the university explained that its internal investigation revealed the unauthorized data access, prompting a review to identify impacted parties. Direct notifications to those individuals began after a determination was made in mid-November. Penn emphasized it has found no evidence that the stolen information has been publicly disclosed or misused for fraud. The school also confirmed it applied the necessary security patches provided by Oracle, noting that no other university systems outside the Oracle platform were compromised.
This event follows another security incident disclosed by Penn in late October, where a hacker claimed to have stolen data related to roughly 1.2 million students, alumni, and donors. Furthermore, other Ivy League universities, including Harvard and Princeton, have recently reported similar breaches targeting their development and alumni networks through sophisticated phishing schemes.
The broader attack campaign exploits a specific vulnerability tracked as CVE-2025-61882. Clop, a notorious ransomware operation, is actively using this flaw to steal sensitive files from Oracle EBS platforms across nearly one hundred organizations. Other notable victims in this campaign include Harvard University, The Washington Post, and several major corporations. Notably, Penn has not yet appeared on Clop’s public leak site, which may indicate ongoing negotiations or a resolved ransom payment.
This group has a history of large-scale data theft attacks, previously targeting vulnerabilities in popular file transfer solutions like Accellion FTA and MOVEit Transfer, impacting thousands of organizations globally. In response to the threat posed by such cybercriminal syndicates, the U.S. State Department is offering a multimillion-dollar reward for information linking Clop’s activities to a foreign state actor. The university continues to work with external cybersecurity experts and law enforcement as part of its response.
(Source: Bleeping Computer)
