The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August.
The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025.
The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn's development and alumni activities. The attacker claimed they exfiltrated personal information belonging to roughly 1.2 million students, alumni, and donors.
In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty.
Penn's Oracle EBS breach
In a breach notification letter filed with the office of Maine's Attorney General this week, Penn noted that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals.
However, the number of people potentially impacted by the i
University of Pennsylvania cybersecurity rating report: https://www.rankiteo.com/company/university-of-pennsylvania
"id": "UNI1764684299",
"linkid": "university-of-pennsylvania",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,488 individuals '
'(August breach); '
'~1.2 million '
'students, alumni, '
'and donors '
'(October breach)',
'industry': 'Higher Education',
'location': 'Philadelphia, Pennsylvania, '
'USA',
'name': 'University of Pennsylvania '
'(Penn)',
'size': '29,109 students, 5,827 faculty '
'members',
'type': 'Educational Institution (Private '
'Ivy League University)'},
{'customers_affected': None,
'industry': 'Higher Education',
'location': 'Cambridge, Massachusetts, '
'USA',
'name': 'Harvard University',
'size': None,
'type': 'Educational Institution (Private '
'Ivy League University)'},
{'customers_affected': None,
'industry': 'Higher Education',
'location': 'Princeton, New Jersey, USA',
'name': 'Princeton University',
'size': None,
'type': 'Educational Institution (Private '
'Ivy League University)'}],
'attack_vector': ['Zero-Day Vulnerability in Oracle E-Business '
'Suite',
'Voice Phishing (for broader Ivy League '
'attacks)'],
'customer_advisories': 'Breach notification letters sent to '
'affected individuals',
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': None,
'number_of_records_exposed': ['1,488 (August '
'breach)',
'~1,200,000 '
'(October breach)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personal '
'information of students, '
'alumni, donors, faculty, '
'and staff)',
'type_of_data_compromised': 'Personal '
'information'},
'date_publicly_disclosed': '2025-10-late',
'description': 'The University of Pennsylvania (Penn) announced '
'a data breach after attackers exploited a '
'zero-day vulnerability in its Oracle E-Business '
'Suite (EBS) servers in August 2025, stealing '
'personal information of 1,488 individuals. A '
'separate breach in late October 2025 involved a '
'hacker compromising internal systems and '
'exfiltrating data on roughly 1.2 million '
'students, alumni, and donors related to '
'development and alumni activities. The incident '
'is part of a broader series of voice phishing '
'attacks targeting Ivy League institutions, '
'including Harvard and Princeton.',
'impact': {'brand_reputation_impact': 'Potential reputational '
'damage due to breach '
'affecting students, '
'alumni, and donors',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Personal information of 1,488 '
'individuals (August breach)',
'Personal information of ~1.2 '
'million students, alumni, and '
'donors (October breach)'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (personal information '
'exposed)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Oracle E-Business Suite (EBS) '
'servers',
'Internal systems (development '
'and alumni activities)']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': ['Zero-day '
'vulnerability in '
'Oracle EBS (August)',
'Voice phishing '
'(broader Ivy League '
'attacks)'],
'high_value_targets': ['Development '
'and alumni '
'activity '
'systems',
'Personal data '
'of students, '
'alumni, and '
'donors'],
'reconnaissance_period': None},
'investigation_status': 'Ongoing (as of late October 2025)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': ['Zero-day '
'vulnerability in '
'Oracle EBS',
'Potential voice '
'phishing (for '
'broader attacks)']},
'ransomware': {'data_encryption': None,
'data_exfiltration': True,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'University of Pennsylvania Breach '
'Notification (Maine AG Office)',
'url': None},
{'date_accessed': None,
'source': 'University of Pennsylvania Public '
'Disclosure (October 2025)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Maine '
'Attorney '
'General '
'(breach '
'notification '
'letter)'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Breach notification '
'letter filed with '
"Maine's Attorney General",
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'University of Pennsylvania Oracle E-Business Suite '
'Data Breach',
'type': ['Data Breach',
'Zero-Day Exploit',
'Voice Phishing (related context)'],
'vulnerability_exploited': 'Unknown (zero-day) vulnerability in '
'Oracle E-Business Suite (EBS)'}