University of Pennsylvania joins list of victims from Clop’s Oracle EBS raid
Summary
The University of Pennsylvania has confirmed it was breached after attackers exploited a zero-day in Oracle’s E-Business Suite (EBS). Penn says the intrusion allowed the theft of personal data from its EBS instance used for payments, reimbursements and procurement. The university discovered the unauthorised access on 11 November, patched systems after Oracle released fixes, and alerted federal authorities. A notification filed with Maine’s attorney general indicates 1,488 Maine residents were affected; the full scope and specific data categories in the haul are redacted in the regulator template.
Key Points
- Attackers exploited an Oracle EBS zero-day (tracked as CVE-2025-61882) that Clop has been abusing at scale.
- Penn discovered the breach on 11 November and filed a notice on 1 December; details on total victims and exact data types are redacted.
- The notice confirms 1,488 Maine residents were among those impacted, but the overall count remains unspecified.
- Penn patched its systems after Oracle released fixes and is offering two years of Experian credit monitoring to affected individuals.
- The university says there’s “no evidence” the stolen information has been misused so far and is cooperating with a federal investigation.
- Penn joins other recent victims of the Clop Oracle EBS campaign, including Dartmouth College, an American Airlines subsidiary and media organisations.
- Clop’s campaign has reportedly been exploiting unpatched EBS servers since early August, leaking samples from dozens of breached organisations.
Context and relevance
This incident is part of a broad, ongoing campaign by the Clop gang targeting Oracle EBS deployments worldwide. Organisations that run EBS for procurement, payments or finance are especially exposed because those systems often contain sensitive personal and financial records. The pattern of disclosures — redacted notices, partial victim counts, and delayed full disclosures — is complicating incident response and victim notification across sectors, including higher education.
Why should I read this?
If you or your organisation uses Oracle EBS (or manages payroll, supplier or procurement data), pay attention — this is not a one-off. Patch management, quick detection and a solid incident response plan are what stop these breaches getting worse. Also, if you got a notification from Penn or similar institutions, take the credit-monitoring offer and watch your statements.
Author’s take
Punchy and important: this is a big-picture wake-up call. Clop’s raid isn’t picky — it’s industrial-scale and hits critical business systems. Organisations need to move faster on Oracle’s patches, hunt for signs of lateral movement, and be transparent about what data was taken. For anyone responsible for security or compliance, dig into the details and check your EBS estate now.