The University of Pennsylvania joined the steadily growing number of victim organizations impacted by the widespread data theft and extortion campaign involving a notorious ransomware group’s exploitation of a zero-day vulnerability and other defects in Oracle E-Business Suite earlier this year.
The university filed a data breach notification in Maine Monday, confirming nearly 1,500 Maine residents were affected by an intrusion into its Oracle EBS environment over a three-day period in early August.
The Ivy League school and dozens of other victims were not aware of the attack until Oracle acknowledged the critical vulnerability after members of the Clop ransomware group sent extortion emails to alleged victim organizations in late September. Attackers exploited multiple vulnerabilities to steal large amounts of data from several Oracle EBS customers in August, according to Mandiant.
The university said it determined some personal information was stolen from its Oracle EBS system on Nov. 11, but did not provide details about how many people were impacted and what type of data was stolen during the attack.
“The University of Pennsylvania was one of nearly 100 already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,”a spokesperson for the university said in a statement.
“Penn has implemented the patches that Oracle issued to resolve the vulnerability,” the spokesperson added. “Penn has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes.”
Other Ivy League schools were impacted by the targeted attacks on Oracle EBS customers as well, including Dartmouth College and Harvard University.
Dartmouth filed data breach disclosures in California and Maine last month confirming that its Oracle EBS environment was also compromised over a few days in August. Personal data exposed by the breach included names, Social Security numbers and financial account information, according to Dartmouth.
Harvard University said it was investigating a data breach involving its Oracle EBS system in mid-October, noting at the time that a limited number of people in a small administrative unit were impacted. Harvard said it found no evidence of compromise to other systems.
The pool of victim organizations impacted by the mass exploitation of vulnerabilities in Oracle EBS underscores the risk posed by interconnected and widely used systems.
Cox Enterprises last month said personal data on almost 10,000 people was exposed by an attack on its Oracle EBS environment, which it discovered in late September. The attack occurred during the same period as other victim organizations in August, the media and automotive company said in a data breach notification filed in California.
Logitech said it, too, was impacted by the widespread attacks on Oracle EBS customers. “The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system,” the computer peripherals and software vendor said in a Nov. 20 regulatory filing.
Other previously confirmed victims include The Washington Post, Envoy Air and GlobalLogic.
Clop specializes in exploiting vulnerabilities in file-transfer services and has successfully intruded multiple technology vendors’ systems to steal massive amounts of data for extortion efforts. These attacks typically flow downstream, ensnaring organizations and people multiple layers removed from the initial targeted victims.
Clop infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.