The University of Pennsylvania has revealed a data breach stemming from a cyberattack on its Oracle financial systems.
Quick Summary – TLDR:
Hackers exploited a zero-day flaw in Oracle E-Business Suite to access Penn’s internal systems.
Personal data of at least 1,488 individuals was stolen, with the real number possibly much higher.
The Clop ransomware gang is suspected, linking Penn to a wider cyber extortion campaign.
Penn joins other Ivy League schools recently hit by phishing and data theft attacks.
What Happened?
The University of Pennsylvania has confirmed a data breach involving its Oracle E-Business Suite (EBS) after attackers exploited a previously unknown vulnerability to steal sensitive personal information. The incident occurred in August but was officially disclosed in a filing with the Maine Attorney General’s office. The university says the breach is part of a larger cyberattack campaign affecting nearly 100 organizations.
Penn’s Oracle Systems Breached
In the breach notification sent to affected individuals, the university explained that unauthorized access to Penn’s Oracle EBS platform had occurred. A thorough investigation revealed that personal data was stolen, although the specific types of information remain undisclosed. The university has directly notified the 1,488 confirmed impacted individuals, though it admits the actual number could be far greater.
In an official statement, Penn said:
“ We discovered that some data from Penn’s Oracle EBS
Source: https://sqmagazine.co.uk/penn-oracle-data-breach-clop-hack/
TPRM report: https://www.rankiteo.com/company/office-of-the-executive-vice-president-university-of-pennsylvania
"id": "off1764700650",
"linkid": "office-of-the-executive-vice-president-university-of-pennsylvania",
"type": "Ransomware",
"date": "08/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,488 (confirmed, '
'possibly more)',
'industry': 'Higher Education',
'location': 'Pennsylvania, USA',
'name': 'University of Pennsylvania',
'size': None,
'type': 'Educational Institution'}],
'attack_vector': 'Zero-day vulnerability exploitation',
'customer_advisories': 'Direct notifications to affected '
'individuals',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': '1,488 (confirmed, '
'possibly more)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal data'},
'date_detected': '2023-08',
'description': 'The University of Pennsylvania confirmed a data '
'breach involving its Oracle E-Business Suite '
'(EBS) after attackers exploited a previously '
'unknown vulnerability to steal sensitive '
'personal information. The breach is part of a '
'larger cyberattack campaign affecting nearly 100 '
'organizations.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal data of at least 1,488 '
'individuals',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Oracle E-Business Suite (EBS)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Oracle E-Business '
'Suite zero-day '
'vulnerability',
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Cyber extortion',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Exploitation of '
'zero-day '
'vulnerability in '
'Oracle E-Business '
'Suite'},
'ransomware': {'data_encryption': None,
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': 'Clop'},
'references': [{'date_accessed': None,
'source': 'Maine Attorney General’s office '
'filing',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Filing '
'with '
'Maine '
'Attorney '
'General’s '
'office'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Filing with Maine '
'Attorney General’s '
'office and direct '
'notifications to '
'affected individuals',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'Clop ransomware gang',
'title': 'University of Pennsylvania Oracle E-Business Suite '
'Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Zero-day flaw in Oracle E-Business '
'Suite'}