University of Pennsylvania Data Breach via Clop Exploitation of Oracle E-Business Suite
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), resulting in the theft of personal information from its systems. The Clop ransomware group is believed to be behind this attack, which targeted numerous Oracle EBS customers worldwide, including other Ivy League institutions such as Dartmouth College and Harvard University. The breach notification filed with Maine's Attorney General confirmed that at least 1,488 individuals were affected, though the total number of victims is likely higher. The university responded by patching its systems after Oracle released fixes and notified federal law enforcement.
The attack was part of a broader campaign in which Clop exploited multiple vulnerabilities in Oracle EBS to steal large amounts of data from various organizations. The University of Pennsylvania only became aware of the breach after Oracle acknowledged the vulnerability and Clop began sending extortion emails to victim organizations. While the university has not disclosed the specific types of data stolen, it has stated that there is no evidence the information has been publicly disclosed or misused. The incident highlights the risks associated with unpatched enterprise software and the growing trend of ransomware groups exploiting zero-day vulnerabilities for data theft and extortion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
University of Pennsylvania publicly confirms Oracle EBS data breach
On December 2, 2025, Penn publicly confirmed that attackers exploited the Oracle EBS vulnerability to steal personal data. The university said it was notifying affected individuals, offering credit monitoring, and had found no evidence of public disclosure or misuse of the stolen data.
University of Pennsylvania patches systems and notifies law enforcement
Following Oracle's fix, Penn patched the affected systems, notified federal law enforcement, and continued investigating with cybersecurity experts. The university also began reinforcing its security posture in response to the breach.
Oracle releases patches for the exploited EBS vulnerability
Oracle released a fix for CVE-2025-61882 after the attacks, enabling affected organizations to remediate the exploited Oracle EBS flaw. Victims including the University of Pennsylvania later applied the patches.
Clop publicly extorts Oracle EBS victims and leaks samples
After the intrusions, Clop sent extortion emails to victims and publicly boasted about the Oracle EBS attacks, including leaking sample data from breached organizations. Some victims reportedly only learned of the compromise after these extortion efforts and Oracle's disclosure.
Maine breach filing discloses Penn impact on nearly 1,500 residents
A Maine data breach notification published on December 1, 2025, disclosed that the University of Pennsylvania incident affected nearly 1,500 Maine residents. The filing provided the first public indication of the scale of Penn's breach.
University of Pennsylvania is breached over three days in August
During a three-day period in August 2025, the University of Pennsylvania's Oracle EBS environment was compromised, and documents containing personal information were stolen. The breach ultimately affected at least 1,488 individuals, including nearly 1,500 Maine residents reported in state filings.
Clop begins exploiting Oracle EBS zero-day in broad campaign
In August 2025, attackers attributed to the Clop ransomware group began exploiting Oracle E-Business Suite zero-day CVE-2025-61882 and related flaws in a large-scale data theft and extortion campaign affecting nearly 100 organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
University of Pennsylvania and University of Phoenix disclose data breaches
securityaffairs.com
Open sourceOracle EBS hack hits University of Pennsylvania
scworld.com
Open sourceUniversity of Pennsylvania joins list of victims from Clop's Oracle EBS raid
go.theregister.com
Open sourceUniversity of Pennsylvania confirms new data breach after Oracle hack
bleepingcomputer.com
Open sourceUniversity of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks
cyberscoop.com
Open sourceData Breach Notifications
maine.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
University of Phoenix Data Breach via Oracle E-Business Suite Exploit
The University of Phoenix disclosed a significant data breach after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, detected on November 21, 2025, resulted in unauthorized access to sensitive personal and financial information, including names, contact details, dates of birth, Social Security numbers, and bank account information of numerous current and former students, employees, faculty, and suppliers. The incident was revealed after the university was listed on the leak site of a prominent Russian extortion group, believed to be the Clop ransomware gang, which has targeted multiple U.S. educational institutions through the same Oracle EBS vulnerability. The university's parent company, Phoenix Education Partners, filed a notice with the U.S. Securities and Exchange Commission (SEC), confirming the breach and stating that cybersecurity insurance would cover the response and remediation costs. While the attackers have not publicly disseminated the stolen data, the university is continuing its investigation and will notify affected individuals and regulatory entities. The breach is part of a broader campaign that has impacted other major universities, highlighting the risks associated with unpatched enterprise software vulnerabilities.
Mar 21, 2026
University of Phoenix Data Breach Exposes 3.5 Million Records via Oracle EBS Exploit
University of Phoenix suffered a major data breach affecting approximately 3.5 million individuals, including students, staff, and suppliers, after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, attributed to the Clop ransomware gang, resulted in the exposure of sensitive personal and financial information such as names, contact details, dates of birth, Social Security numbers, and bank account information. The incident was discovered on November 21, 2025, several months after the initial compromise in August, highlighting significant gaps in the university’s security monitoring and detection capabilities. Following regulatory requirements, especially in Maine where over 9,000 residents were affected, the University of Phoenix issued formal notifications and offered complimentary identity theft protection services, including credit monitoring and fraud reimbursement. The breach has raised concerns about the adequacy of cybersecurity defenses in higher education and prompted the university to engage legal counsel and external experts to manage the response and notification process. The Clop ransomware group’s involvement and the exploitation of a critical Oracle EBS vulnerability underscore the evolving threat landscape facing educational institutions.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited by Clop Ransomware Group
Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to compromise major organizations including Schneider Electric, Emerson, Harvard University, and others. The vulnerability allowed unauthenticated remote access to Oracle Concurrent Processing, enabling attackers to exfiltrate large volumes of sensitive data such as ERP records, financial documents, procurement workflows, and engineering files. Clop reportedly maintained access for months, exfiltrating 2.7 terabytes from Emerson and 116 gigabytes from Schneider Electric, with the breach going undetected by traditional monitoring tools. Security experts warn that the impact extends beyond data theft, as attackers may leverage stolen information for extortion, supply chain exploitation, and credential harvesting. Oracle has released patches for CVE-2025-61882 and strongly urges all EBS customers to apply updates immediately. The campaign highlights the risks posed by trusted vendor dependencies and the potential for widespread disruption across critical infrastructure and operational technology supply chains. Attribution remains under investigation, with both Clop and the financially motivated FIN11 group suspected of involvement.
Mar 21, 2026