Attackers exploited a previously unknown flaw in Oracle E-Business Suite; personal data of 1,488 individuals exposed, impact likely wider
Washington/Philadelphia | December 2, 2025 — The University of Pennsylvania (UPenn), one of the United States’ most prestigious Ivy League institutions, has confirmed a fresh data breach following a sophisticated cyberattack on its Oracle E-Business Suite (EBS) servers. The incident, linked to a widely exploited zero-day vulnerability, has once again raised serious concerns over the rising scale and frequency of cyberattacks targeting elite universities and research centres.
Founded in 1740, UPenn is home to more than 29,000 students, 5,800 faculty members, and one of the wealthiest university endowments in the world—valued at USD 24.8 billion. Its size, reputation, and vast research ecosystem make it a high-value target for global threat actors.
Attackers Accessed EBS Data Through Unpatched Oracle Zero-Day Flaw
According to a data breach notification filed with the Maine Attorney General’s Office, the university discovered that attackers had exploited a previously unknown zero-day vulnerability in Oracle EBS, allowing unauthorized access to sensitive documents in August 2025.
At least 1,488 individuals have been directly notified as affected. However, UPenn cautioned that the true number may be significantly higher, as several data sets remain under review.
The university informed affected individuals:
“During our investigation, we determined that certain Oracle EBS data was accessed without authorization. On November 11, 2025, we confirmed that your personal information was among the material obtained.”
While the exact nature of the compromised data is redacted in official filings, such records typically include names, personal identifiers, employee or student records, and financial data.
UPenn: No Sign of Data Misuse or External System Compromise
In a statement to BleepingComputer, a UPenn spokesperson said the university was among nearly 100 organizations worldwide affected by the Oracle EBS zero-day campaign.
The university emphasized that:
- Oracle’s security patches were applied immediately
- No other internal systems beyond EBS were compromised
- There is no evidence the stolen data has been leaked, sold, or misused
- Impacted individuals are being informed as per regulatory requirements
UPenn maintained that, based on current assessments, attackers did not breach broader networks or core administrative systems.
Clop Ransomware Syndicate Suspected Behind Global Campaign
While UPenn has not formally attributed the breach to a specific group, several indicators suggest it is part of a larger extortion campaign linked to the Clop ransomware syndicate, which has been exploiting CVE-2025-61882 since early August.
This campaign has already compromised major organizations, including:
- Harvard University
- Princeton University
- The Washington Post
- GlobalLogic
- Logitech
- American Airlines subsidiary Envoy Air
In other cases, Clop published stolen data on its dark-web leak portal and distributed data archives via torrents.
UPenn has not yet appeared on Clop’s leak site. Cybersecurity analysts interpret this as either:
- Ongoing negotiations between the university and attackers, or
- The possibility of a ransom payment, though no confirmation exists
Ivy League Institutions Facing Escalating Cyber Threats
Ivy League universities have faced a sharp rise in cyber incidents in recent weeks—from mass data breaches to targeted voice-phishing attacks. Harvard and Princeton have both reported breaches affecting donor, alumni, student, and staff data.
Security experts cite several reasons universities remain attractive targets:
- Massive repositories of personal and financial data
- Access to sensitive, government-funded research
- Chronic underinvestment in modern cybersecurity infrastructure
Together, these factors create a high-reward, comparatively low-risk environment for attackers.
