The University of Pennsylvania and the University of Phoenix confirmed on Tuesday that they are among the many victims of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.
The University of Pennsylvania is sending out data breach notification letters to individuals whose personal information was compromised as a result of an attack on its Oracle EBS instance, which it uses for supplier payments, general ledger entries, and other business tasks.
Penn told the Maine Attorney General’s Office that nearly 1,500 of the state’s residents are impacted, but the total number of affected individuals has not been disclosed.
The University of Phoenix disclosed the incident through its parent company, Phoenix Education Partners, in a filing with the Securities and Exchange Commission.
UoPX said the intrusion was discovered only on November 21, one day after the university was listed on the Cl0p ransomware leak website. The Oracle EBS campaign came to light in early October.
A probe showed that the hackers gained access to information such as name, contact details, dates of birth, Social Security numbers, and bank account information.
While for many of the victims the hackers have made public hundreds of gigabytes and even terabytes of data allegedly stolen from their systems, no UoPX data appears to have been released.
The cybercriminals have yet to name the University of Pennsylvania as a victim of the Oracle hack.
The University of Pennsylvania and the University of Phoenix are not the only universities targeted in the Oracle EBS campaign.
Harvard University was the first to confirm being impacted. Dartmouth College confirmed a data breach in late November, after cybercriminals leaked over 200 Gb of files allegedly stolen from the educational institution.
Southern Illinois University and Tulane University were also named as victims on the Cl0p website, but neither of them appears to have publicly confirmed being targeted.
More than 100 organizations have been named as victims of the Oracle EBS attack and major companies such as Canon, Mazda, Cox, and Logitech have confirmed that they were targeted. Other industry giants, such as Broadcom and Schneider Electric, have yet to issue any public statements on the matter.
Several important questions remain unanswered, including which zero-day vulnerabilities have been exploited and who is behind the attack. The Cl0p ransomware group is the public-facing entity that has taken credit for the attack, but the cybersecurity industry believes an unidentified cluster of the FIN11 threat group is responsible.
Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks
Related: Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack
