Data Breaches

Penn and Phoenix Universities Disclose Data Breach After Oracle Hack

The University of Pennsylvania and the University of Phoenix confirm that they are victims of the recent Oracle EBS hacking campaign.

Universities hacked

The University of Pennsylvania and the University of Phoenix confirmed on Tuesday that they are among the many victims of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

The University of Pennsylvania is sending out data breach notification letters to individuals whose personal information was compromised as a result of an attack on its Oracle EBS instance, which it uses for supplier payments, general ledger entries, and other business tasks.

Penn told the Maine Attorney General’s Office that nearly 1,500 of the state’s residents are impacted, but the total number of affected individuals has not been disclosed. 

The University of Phoenix disclosed the incident through its parent company, Phoenix Education Partners, in a filing with the Securities and Exchange Commission. 

UoPX said the intrusion was discovered only on November 21, one day after the university was listed on the Cl0p ransomware leak website. The Oracle EBS campaign came to light in early October. 

A probe showed that the hackers gained access to information such as name, contact details, dates of birth, Social Security numbers, and bank account information. 

Advertisement. Scroll to continue reading.

While for many of the victims the hackers have made public hundreds of gigabytes and even terabytes of data allegedly stolen from their systems, no UoPX data appears to have been released. 

The cybercriminals have yet to name the University of Pennsylvania as a victim of the Oracle hack. 

The University of Pennsylvania and the University of Phoenix are not the only universities targeted in the Oracle EBS campaign.

Harvard University was the first to confirm being impacted. Dartmouth College confirmed a data breach in late November, after cybercriminals leaked over 200 Gb of files allegedly stolen from the educational institution.

Southern Illinois University and Tulane University were also named as victims on the Cl0p website, but neither of them appears to have publicly confirmed being targeted. 

More than 100 organizations have been named as victims of the Oracle EBS attack and major companies such as Canon, Mazda, Cox, and Logitech have confirmed that they were targeted. Other industry giants, such as Broadcom and Schneider Electric, have yet to issue any public statements on the matter.

Several important questions remain unanswered, including which zero-day vulnerabilities have been exploited and who is behind the attack. The Cl0p ransomware group is the public-facing entity that has taken credit for the attack, but the cybersecurity industry believes an unidentified cluster of the FIN11 threat group is responsible. 

Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Related: Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack 

Related Content

Cybercrime

The D1R cybercrime group claimed to have stolen valuable data from Synopsys and Bosch, threatening to leak it unless a ransom is paid. 

Data Breaches

The WorldLeaks extortion group claimed to have stolen 720 GB of data from the healthcare testing and laboratory services provider.

Data Breaches

Hackers exploited a zero-day vulnerability in a third-party system to access a KDDI email system for ISPs.

Data Breaches

Hackers accessed the institution’s internal network and deleted two drives containing employee, student, and university data.

Data Breaches

The professional services giant says it contained the incident, remediated its source, and experienced no operational or service delivery impact.

Cybercrime

In April, ShinyHunters accessed the company’s corporate IT systems and stole patients’ personal and medical information.

Data Breaches

Hackers accessed the insurance giant’s policyholder portal multiple times between June 15 and June 25.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version