Penn is investigating a cybersecurity breach of its Oracle E-Business Suite servers that compromised the personal information of University-affiliated individuals across multiple states.
The breach — identified by the University in November — exploited the business software Penn uses to manage internal operations, according to letters filed with attorneys general in multiple states. Penn is in the process of notifying individuals whose personal information was compromised by the incident, according to a University spokesperson.
“The University of Pennsylvania was one of nearly 100-already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,” the spokesperson wrote in a statement to The Daily Pennsylvanian.
Penn has implemented “the patches that Oracle issued to resolve the vulnerability” and “has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes,” the statement added.
In a Dec. 1 letter notifying impacted individuals, Penn wrote that its investigation — assisted by federal law enforcement and cybersecurity experts — discovered that “some data from Penn’s Oracle EBS had been obtained without authorization.”
It remains unclear how many individuals were affected. According to information filed with the Office of the Maine Attorney General, the breach affected 1,488 state
Source: https://www.thedp.com/article/2025/12/penn-cybersecurity-breach-oracle-business-hack
Office of the Executive Vice President cybersecurity rating report: https://www.rankiteo.com/company/office-of-the-executive-vice-president-university-of-pennsylvania
"id": "OFF1764706785",
"linkid": "office-of-the-executive-vice-president-university-of-pennsylvania",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1488 (Maine '
'residents only)',
'industry': 'Education',
'location': 'Pennsylvania, USA',
'name': 'University of Pennsylvania',
'size': None,
'type': 'University'}],
'attack_vector': 'Exploitation of unknown security vulnerability',
'customer_advisories': 'Notification letters sent to affected '
'individuals',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': '1488 (Maine '
'residents only, '
'total unknown)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally '
'identifiable '
'information)',
'type_of_data_compromised': 'Personal '
'information'},
'date_detected': '2023-11',
'date_publicly_disclosed': '2023-12-01',
'description': 'Penn is investigating a cybersecurity breach of '
'its Oracle E-Business Suite servers that '
'compromised the personal information of '
'University-affiliated individuals across '
'multiple states. The breach exploited a '
'previously unknown security vulnerability in '
'Oracle’s system.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal information',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'Yes',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Oracle E-Business Suite servers'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Applied '
'Oracle-issued '
'patches',
'root_causes': 'Exploitation of '
'previously unknown '
'security '
'vulnerability in '
'Oracle E-Business '
'Suite'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'The Daily Pennsylvanian',
'url': None},
{'date_accessed': None,
'source': 'Office of the Maine Attorney General',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Filed '
'with '
'attorneys '
'general '
'in '
'multiple '
'states'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Letters filed with '
'attorneys general, '
'notification to affected '
'individuals',
'containment_measures': 'Applied Oracle-issued '
'patches to resolve the '
'vulnerability',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': 'Yes',
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': 'Cybersecurity experts, '
'federal law enforcement'},
'title': 'Oracle E-Business Suite Cybersecurity Breach at '
'University of Pennsylvania',
'type': 'Data Breach',
'vulnerability_exploited': 'Previously unknown security '
'vulnerability in Oracle E-Business '
'Suite'}