• Home
  • cyber
  • Oracle and SUNY Research Foundation: Personal data of SUNY Research Foundation staff stolen by cybercriminals
cyber Vulnerability

Oracle and SUNY Research Foundation: Personal data of SUNY Research Foundation staff stolen by cybercriminals

Aug 9, 2025 2 min read
Oracle and SUNY Research Foundation: Personal data of SUNY Research Foundation staff stolen by cybercriminals

SUNY Research Foundation Hit by Zero-Day Data Breach, Exposing Employee Personal Data

The SUNY Research Foundation, based in Albany, New York, disclosed a data breach involving a zero-day vulnerability in Oracle’s eBusiness Suite. The attack occurred between August 9 and 11, with cybercriminals accessing personnel files containing sensitive employee information, including Social Security numbers. Oracle identified the flaw and released an urgent patch, but the breach went undetected until early October, when the company notified the foundation on October 10.

Despite discovering the breach in October, the foundation only determined which files were accessed on November 26 nearly three months after the initial incident. Affected employees were notified last week, more than 60 days after the files were identified, exceeding New York’s 30-day notification requirement for data breaches. A foundation spokesperson acknowledged the delay, citing the complexity of forensic analysis needed to assess the scope of the breach.

The foundation confirmed that no research data was compromised, and the attack was limited to personnel documents. The incident follows a pattern of similar breaches affecting thousands of organizations worldwide using the same Oracle software. The full extent of the exposure and potential misuse of the stolen data remains unclear.

Source: https://www.timesunion.com/education/article/suny-research-foundation-staff-s-personal-data-21333632.php

Oracle TPRM report: https://www.rankiteo.com/company/oracle

SUNY Research Foundation TPRM report: https://www.rankiteo.com/company/the-research-foundation-for-suny

"id": "orathe1770237797",
"linkid": "oracle, the-research-foundation-for-suny",
"type": "Vulnerability",
"date": "8/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Employees',
                        'industry': 'Education/Research',
                        'location': 'Albany, New York',
                        'name': 'SUNY Research Foundation',
                        'type': 'Research Foundation'}],
 'attack_vector': 'Zero-day vulnerability',
 'customer_advisories': 'Affected employees were notified last week',
 'data_breach': {'personally_identifiable_information': 'Social Security '
                                                        'numbers',
                 'sensitivity_of_data': 'High (Personally Identifiable '
                                        'Information)',
                 'type_of_data_compromised': 'Personnel files, Social Security '
                                             'numbers'},
 'date_detected': '2023-10-10',
 'description': 'The SUNY Research Foundation, based in Albany, New York, '
                'disclosed a data breach involving a zero-day vulnerability in '
                'Oracle’s eBusiness Suite. The attack occurred between August '
                '9 and 11, with cybercriminals accessing personnel files '
                'containing sensitive employee information, including Social '
                'Security numbers. Oracle identified the flaw and released an '
                'urgent patch, but the breach went undetected until early '
                'October. Despite discovering the breach in October, the '
                'foundation only determined which files were accessed on '
                'November 26, nearly three months after the initial incident. '
                'Affected employees were notified last week, exceeding New '
                'York’s 30-day notification requirement for data breaches.',
 'impact': {'data_compromised': 'Personnel files containing sensitive employee '
                                'information, including Social Security '
                                'numbers',
            'identity_theft_risk': 'High (Social Security numbers exposed)',
            'legal_liabilities': 'Potential violation of New York’s 30-day '
                                 'notification requirement for data breaches',
            'systems_affected': 'Oracle’s eBusiness Suite'},
 'investigation_status': 'Ongoing (forensic analysis completed, but full '
                         'extent unclear)',
 'post_incident_analysis': {'corrective_actions': 'Oracle released an urgent '
                                                  'patch',
                            'root_causes': 'Zero-day vulnerability in Oracle’s '
                                           'eBusiness Suite'},
 'references': [{'source': 'Incident disclosure by SUNY Research Foundation'}],
 'regulatory_compliance': {'regulations_violated': 'New York’s 30-day '
                                                   'notification requirement '
                                                   'for data breaches'},
 'response': {'communication_strategy': 'Affected employees were notified last '
                                        'week',
              'containment_measures': 'Oracle released an urgent patch for the '
                                      'zero-day vulnerability'},
 'title': 'SUNY Research Foundation Hit by Zero-Day Data Breach, Exposing '
          'Employee Personal Data',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Zero-day vulnerability in Oracle’s eBusiness '
                            'Suite'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.