University of Pennsylvania confirms new data breach after Oracle hack

​The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August.

The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025.

The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn’s development and alumni activities. The attacker claimed they exfiltrated personal information belonging to roughly 1.2 million students, alumni, and donors.

In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty.

Penn’s Oracle EBS breach

In a breach notification letter filed with the office of Maine’s Attorney General this week, Penn noted that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals.

However, the number of people potentially impacted by the incident is likely much larger, seeing that the school has yet to disclose the exact number of individuals whose data was compromised in the attack.

“In the course of Penn’s own investigation, we discovered that some data from Penn’s Oracle EBS had been obtained without authorization. We then initiated a detailed review to determine whether any personal information was involved and to identify the affected individuals,” the university told those affected by the data breach.

“On November 11, 2025, Penn determined that your personal information was among the information obtained from Oracle EBS.”

While the types of data exposed in the breach are censored in the filed notification letters, Penn did inform the Maine OAG that the threat actors stole files containing the names or other personal identifiers of impacted people.

It also added that it has yet to find evidence that any of the stolen information has been misused or leaked online since the attack.

A Penn spokesperson couldn’t provide a statement regarding who was behind the attack and the number of individuals affected by the data breach when contacted by BleepingComputer earlier today.

Clop’s Oracle EBS data theft attacks

Although the University of Pennsylvania has yet to attribute the breach, based on the details shared in the breach notification letters, the incident is part of a larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882)to steal sensitive files from many organizations’ Oracle EBS platforms since early August 2025.

It’s also worth noting that Clop has yet to add the University of Pennsylvania to its leak site, suggesting the university is either still negotiating with the threat group or has already paid a ransom.

In the same campaign, Clop has also targeted Harvard University, The Washington Post, GlobalLogic, Logitech, and American Airlines subsidiary Envoy Air, publishing the stolen data on its dark web leak site and making it available for download via Torrent.

In the past, the extortion group also orchestrated multiple data theft campaigns targeting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer customers, the latter of which affected over 2,770 organizations.

The U.S. State Department now offers a $10 million bounty to anyone who can provide information tying Clop’s attacks to a foreign government.