The University of Pennsylvania has revealed a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August.
Penn, a private Ivy League university founded in 1740, has nearly six thousand faculty members and more than twenty-nine thousand students. As of mid-2025, it manages an academic budget of 4.7 billion dollars and an endowment of 24.8 billion dollars.
This incident comes only weeks after another breach was disclosed in late October, when a hacker broke into internal systems and stole data related to Penn’s development and alumni operations. The attacker claimed to have taken information belonging to about 1.2 million students, alumni, and donors. Other Ivy League schools have also been targeted recently, including Harvard and Princeton, which reported voice phishing attacks that led to unauthorized access to systems holding personal information of students, staff, faculty, and donors.
In a breach notice filed with the Maine Attorney General, Penn explained that the attackers used a previously unknown security flaw in the Oracle E-Business Suite financial application to steal personal information. So far, the university has identified 1,488 affected individuals, but the actual number is likely higher because Penn has not yet confirmed how many people’s data was accessed.
Penn told those affected that investigators discovered unauthorized access to Oracle EBS data during the course of their review. On November 11, 2025, the university confirmed that personal information belonging to certain individuals was part of the stolen data. Although the exact data types were redacted in the official letter, Penn stated that files containing names or other personal identifiers were taken.
A spokesperson said that Penn was one of almost one hundred organizations affected by the same Oracle EBS vulnerability, which attackers widely exploited. The university has applied Oracle’s patches and noted that the issue did not spread to its other systems. Penn is directly notifying affected individuals and says it has no evidence that the stolen information has been published or used for fraud.
While Penn has not named the group behind the attack, details in the notification match a larger extortion campaign linked to the Clop ransomware gang. Since early August 2025, Clop has been exploiting a zero-day flaw known as CVE-2025-61882 to steal data from Oracle EBS systems across many organizations. Interestingly, Penn has not yet appeared on Clop’s leak site, which may mean the university is still in negotiations or may have settled with the attackers.
In the same campaign, Clop has targeted Harvard University, The Washington Post, GlobalLogic, Logitech, and Envoy Air, releasing stolen data on its dark web site and sharing it through Torrent links. The group has a long history of large-scale data theft, including attacks on Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer, the last of which affected more than 2,700 organizations.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The U.S. State Department is offering a reward of up to 10 million dollars for information connecting Clop’s activities to a foreign government.
