The University of Pennsylvania joined the steadily growing number of victim organizations impacted by the widespread data theft and extortion campaign involving a notorious ransomware group’s exploitation of a zero-day vulnerability and other defects in Oracle E-Business Suite earlier this year. 

The university filed a data breach notification in Maine Monday, confirming nearly 1,500 Maine residents were affected by an intrusion into its Oracle EBS environment over a three-day period in early August. 

The Ivy League school and dozens of other victims were not aware of the attack until Oracle acknowledged the critical vulnerability after members of the Clop ransomware group sent extortion emails to alleged victim organizations in late September. Attackers exploited multiple vulnerabilities to steal large amounts of data from several Oracle EBS customers in August, according to Mandiant.

The university said it determined some personal information was stolen from its Oracle EBS system on Nov. 11, but did not provide details about how many people were impacted and what type of data was stolen during the attack. 

“The University of Pennsylvania was one of nearly 100 already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,”a spokesperson for the university said in a statement.

“Penn has implemented the patches that Oracle issued to resolve the vulnerability,” the spokesperson added. “Penn has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes.”

Other Ivy League schools were impacted by the targeted attacks on Oracle EBS customers as well, including Dartmouth College and Harvard University. 

Dartmouth filed data breach disclosures in California and Maine last month confirming that its Oracle EBS environment was also compromised over a few days in August. Personal data exposed by the breach included names, Social Security numbers and financial account information, according to Dartmouth. 

Harvard University said it was investigating a data breach involving its Oracle EBS system in mid-October, noting at the time that a limited number of people in a small administrative unit were impacted. Harvard said it found no evidence of compromise to other systems. 

The pool of victim organizations impacted by the mass exploitation of vulnerabilities in Oracle EBS underscores the risk posed by interconnected and widely used systems.

Cox Enterprises last month said personal data on almost 10,000 people was exposed by an attack on its Oracle EBS environment, which it discovered in late September. The attack occurred during the same period as other victim organizations in August, the media and automotive company said in a data breach notification filed in California. 

Logitech said it, too, was impacted by the widespread attacks on Oracle EBS customers. “The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system,” the computer peripherals and software vendor said in a Nov. 20 regulatory filing.

Other previously confirmed victims include The Washington Post, Envoy Air and GlobalLogic. 

Clop specializes in exploiting vulnerabilities in file-transfer services and has successfully intruded multiple technology vendors’ systems to steal massive amounts of data for extortion efforts. These attacks typically flow downstream, ensnaring organizations and people multiple layers removed from the initial targeted victims.

Clop infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks appeared first on CyberScoop.

The Washington Post said it, too, was impacted by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors.

The company was first alerted to the attack and launched an investigation when a “bad actor” contacted the media company Sept. 29 claiming they gained access to the company’s Oracle applications, according to a data breach notification it filed in Maine Wednesday. The Washington Post later determined the attacker had access to its Oracle environment from July 10 to Aug. 22. 

The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Other confirmed victims include Envoy Air and GlobalLogic.

The Washington Post said it confirmed the extent of data stolen during the attack on Oct. 27, noting that personal information on 9,720 people, including names, bank account numbers and routing numbers, and Social Security numbers were exposed. The company didn’t explain why it took almost a month to determine the amount of data stolen and has not responded to multiple requests for comment. 

Oracle disclosed and issued a patch for the zero-day vulnerability —  CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. Mandiant, responding to the immediate fallout from the attacks, said Clop exploited multiple vulnerabilities, including the zero-day to access and steal large amounts of data from Oracle E-Business Suite customer environments.

Oracle, its customers and third-party researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails from members of Clop demanding payment in late September. Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, previously told CyberScoop ransom demands reached up to $50 million.

Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment. 

The ransomware group has intruded multiple technology vendors’ systems before, allowing it to steal data and extort many downstream customers. Clop specializes in exploiting vulnerabilities in file-transfer services and achieved mass exploitation in 2023 when it infiltrated MOVEit environments, ultimately exposing data from more than 2,300 organizations.

The post Washington Post confirms data on nearly 10,000 people stolen from its Oracle environment appeared first on CyberScoop.

GlobalLogic, a digital engineering and product design company, said it was impacted by a widespread data theft and extortion campaign linked to a zero-day vulnerability in Oracle E-Business Suite.

The company, which was acquired by Hitachi in 2021 and has a current customer base of nearly 600 clients, filed data breach notifications with authorities in California and Maine on Friday. GlobalLogic said the attack exposed human resources data on nearly 10,500 current and former employees. 

GlobalLogic is among many Oracle customers targeted by attackers aligned with the Clop ransomware group, which exploited a zero-day vulnerability affecting the enterprise platform to steal massive amounts of data as far back as July. John Hultquist, chief analyst at Google Threat Intelligence Group, previously told CyberScoop dozens of organizations were impacted. 

GlobalLogic said it discovered the data breach Oct. 9 and, upon investigation, determined the initial breach occurred July 10. The most recent malicious activity occurred Aug. 20, the company said.

“This incident did not target or impact GlobalLogic’s systems outside our Oracle platform, and, based on industry reports, we are one of many Oracle customers believed to be impacted,” the company said in the notification letter sent to people impacted. GlobalLogic did not immediately respond to a request for comment.

Data exposed by the attack includes names, addresses, phone numbers, emergency contact information, email addresses, dates of birth, nationality, passport information, internal employee numbers, tax identifiers such as Social Security numbers, salary information, bank account details and routing numbers, according to GlobalData.

Upon discovering it was impacted, GlobalLogic said it immediately activated incident response procedures, notified law enforcement and engaged with third-party firms to assist with an investigation. “We also promptly applied software patches upon their release from Oracle to address the vulnerability,” the company said. 

Oracle disclosed and issued a patch for the zero-day vulnerability —  CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. 

The zero-day wasn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims, according to Mandiant Consulting CTO Charles Carmakal. 

The significant lag time between when the attacks occurred and Oracle’s disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

Clop’s ransom demands reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop last month.

Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment. 

One of those named victims, Envoy Air, a subsidiary of American Airlines, confirmed it was impacted by the attack spree. 

“We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised,” a spokesperson for Envoy Air said in a statement. 

GlobalLogic said it implemented Oracle’s recommended mitigation steps in the wake of the attack and took additional steps to improve its security.

The post Hitachi subsidiary GlobalLogic impacted by Clop’s attack spree on Oracle customers appeared first on CyberScoop.