The College of Pennsylvania (Penn) has introduced a brand new data breach after attackers stole paperwork containing private info from its Oracle E-Enterprise Suite servers in August.
The personal Ivy League analysis college was based in 1740 and has 5,827 school members and 29,109 college students, with an 8:1 student-to-faculty ratio. It additionally has a tutorial working finances of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025.
The College of Pennsylvania disclosed one other breach in late October 2025, after a hacker compromised inner techniques and stole knowledge on Penn’s growth and alumni actions. The attacker claimed they exfiltrated private info belonging to roughly 1.2 million college students, alumni, and donors.
In latest weeks, different Ivy League colleges have been focused by a collection of voice phishing assaults, with Harvard College and Princeton College additionally reporting {that a} hacker breached techniques used for growth and alumni actions to steal the non-public info of scholars, alumni, donors, workers, and college.
Penn’s Oracle EBS breach
In a breach notification letter filed with the workplace of Maine’s Legal professional Basic this week, Penn famous that the attackers exploited a beforehand unknown security vulnerability within the Oracle E-Enterprise Suite (EBS) monetary utility (also called a zero-day flaw) to steal the non-public info belonging to 1,488 people.
Nevertheless, the variety of folks doubtlessly impacted by the incident is probably going a lot bigger, seeing that the varsity has but to reveal the precise variety of people whose knowledge was compromised within the assault.
“In the middle of Penn’s personal investigation, we found that some knowledge from Penn’s Oracle EBS had been obtained with out authorization. We then initiated an in depth overview to find out whether or not any private info was concerned and to establish the affected people,” the college advised these affected by the data breach.
“On November 11, 2025, Penn decided that your private info was among the many info obtained from Oracle EBS.”
Whereas the kinds of knowledge uncovered within the breach are censored within the filed notification letters, Penn did inform the Maine OAG that the menace actors stole information containing the names or different private identifiers of impacted folks.
A spokesperson for Penn supplied a press release to BleepingComputer right this moment, however didn’t disclose particulars concerning the attackers, the kinds of knowledge stolen, or the variety of people impacted by the data breach.
“The College of Pennsylvania was one in every of almost 100 already recognized organizations concurrently impacted by the broadly exploited Oracle E-Enterprise Suite incident, involving a beforehand unknown security vulnerability in Oracle’s system. Penn has carried out the patches that Oracle issued to resolve the vulnerability which didn’t compromise any College techniques exterior of Oracle’s E-Enterprise Suite,” BleepingComputer was advised.
“We’re within the strategy of straight notifying people whose private info was concerned in accordance with relevant legal guidelines and laws. Importantly, Penn has discovered no proof that any of this info has been or is prone to be publicly disclosed or misused for fraudulent functions.”
Clop’s Oracle EBS knowledge theft assaults
Though the College of Pennsylvania has but to attribute the breach, based mostly on the small print shared within the breach notification letters, the incident is a component of a bigger extortion marketing campaign during which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882)to steal delicate information from many organizations’ Oracle EBS platforms since early August 2025.
It is also price noting that Clop has but so as to add the College of Pennsylvania to its leak website, suggesting the college is both nonetheless negotiating with the menace group or has already paid a ransom.
In the identical marketing campaign, Clop has additionally focused Harvard College, The Washington Publish, GlobalLogic, Logitech, and American Airways subsidiary Envoy Air, publishing the stolen knowledge on its darkish internet leak website and making it out there for obtain through Torrent.
Up to now, the extortion group additionally orchestrated a number of knowledge theft campaigns concentrating on Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Switch prospects, the latter of which affected over 2,770 organizations.
The U.S. State Division now gives a $10 million bounty to anybody who can present info tying Clop’s assaults to a overseas authorities.
Replace December 02, 08:13 EST: Added assertion from College of Pennsylvania.
Damaged IAM is not simply an IT downside – the affect ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM appears like, and a easy guidelines for constructing a scalable technique.
