University of Pennsylvania Data Breach (2025)

"The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. In a breach notification letter filed with the office of Maine's Attorney General this week, Penn noted that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals. However, the number of people potentially impacted by the incident is likely much larger, seeing that the school has yet to disclose the exact number of individuals whose data was compromised in the attack. "In the course of Penn's own investigation, we discovered that some data from Penn's Oracle EBS had been obtained without authorization. We then initiated a detailed review to determine whether any personal information was involved and to identify the affected individuals," the university told those affected by the data breach. "On November 11, 2025, Penn determined that your personal information was among the information obtained from Oracle EBS." While the types of data exposed in the breach are censored in the filed notification letters, Penn did inform the Maine OAG that the threat actors stole files containing the names or other personal identifiers of impacted people. A spokesperson for Penn provided a statement to BleepingComputer today, but did not disclose details about the attackers, the types of data stolen, or the number of individuals impacted by the data breach. "The University of Pennsylvania was one of nearly 100 already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system. Penn has implemented the patches that Oracle issued to resolve the vulnerability which did not compromise any University systems outside of Oracle’s E-Business Suite," BleepingComputer was told."