The University of Pennsylvania has revealed a data breach stemming from a cyberattack on its Oracle financial systems.
Quick Summary – TLDR:
- Hackers exploited a zero-day flaw in Oracle E-Business Suite to access Penn’s internal systems.
- Personal data of at least 1,488 individuals was stolen, with the real number possibly much higher.
- The Clop ransomware gang is suspected, linking Penn to a wider cyber extortion campaign.
- Penn joins other Ivy League schools recently hit by phishing and data theft attacks.
What Happened?
The University of Pennsylvania has confirmed a data breach involving its Oracle E-Business Suite (EBS) after attackers exploited a previously unknown vulnerability to steal sensitive personal information. The incident occurred in August but was officially disclosed in a filing with the Maine Attorney General’s office. The university says the breach is part of a larger cyberattack campaign affecting nearly 100 organizations.
Penn’s Oracle Systems Breached
In the breach notification sent to affected individuals, the university explained that unauthorized access to Penn’s Oracle EBS platform had occurred. A thorough investigation revealed that personal data was stolen, although the specific types of information remain undisclosed. The university has directly notified the 1,488 confirmed impacted individuals, though it admits the actual number could be far greater.
In an official statement, Penn said:
The breach was linked to a zero-day vulnerability now identified as CVE-2025-61882, which has since been patched. Penn confirmed that no other university systems outside of Oracle’s EBS were compromised.
A Part of a Larger Campaign by Clop
Though Penn did not confirm the attackers’ identity, details match a broader extortion campaign by the Clop ransomware gang, known for exploiting the same Oracle flaw since August 2025. Clop has targeted numerous organizations using similar tactics, including:
- Harvard University
- The Washington Post
- Logitech
- GlobalLogic
- Envoy Air (a subsidiary of American Airlines)
In most of these cases, Clop not only stole sensitive data but also published it on its dark web leak site. As of now, Penn has not appeared on Clop’s leak platform, raising questions about whether negotiations or ransom payments may be in play.
The university reassured the public that it has no evidence that the stolen information has been disclosed or misused. Penn also emphasized compliance with data protection laws, stating it is notifying all impacted individuals in accordance with legal requirements.
Ivy League Schools Under Fire
This incident marks the second cybersecurity breach Penn has disclosed in 2025. In October, the university admitted that a separate attacker had compromised internal systems, affecting around 1.2 million students, alumni, and donors.
The current breach follows a pattern of targeted attacks on elite academic institutions. Both Harvard and Princeton have also suffered from voice phishing and development system breaches in recent weeks, suggesting a coordinated effort by cybercriminals to exploit vulnerabilities in higher education.
SQ Magazine Takeaway
I think this is another wake-up call showing that even the most prestigious universities are not immune to sophisticated cyberattacks. With a $24.8 billion endowment and extensive digital infrastructure, Penn is a high-value target, and this breach proves how easily attackers can bypass security through zero-day vulnerabilities. What makes it worse is that this is not their first breach this year. Institutions with this kind of influence and budget need to invest more heavily in cybersecurity readiness, especially when dealing with personal data at this scale. And for the rest of us? Always be aware of where your personal information lives.
