Tulane University victimised in Oracle E-Business Suite hack

Thousands of individuals had their sensitive personal information exposed after Tulane University experienced a major data breach after hackers exploited a zero-day vulnerability in Oracle’s E-Business Suite.

In a recent filing with the Office of New Hampshire Attorney General, Tulane University said it experienced a data security incident after attackers exploited a zero-day vulnerability in the college’s Oracle E-Business Suite server and stole files containing sensitive personal information.

 

Oracle E-Business Suite is a popular enterprise resource planning (ERP) system that large organisations use to manage key internal functions such as human resources, finance, and supply chain operations. The Clop ransomware group took advantage of a serious zero-day flaw — named CVE-2025-61882  — in the Oracle EBS’s BI Publisher component. This bug let them remotely execute malicious code on the system without needing to log in.

 

“The investigation determined that, on August 10, 2025, the vulnerability in Oracle’s E-Business Suite application allowed unauthorised parties to access and acquire files stored in the application,” Tulane University said.

 

The compromised data included staff and students’ names, Social Security numbers, and financial information such as direct deposit and banking account details. While the total number of affected individuals is yet to be confirmed, in a filing with the Texas Attorney General’s office, the university said at least 2,992 people were affected by the data security incident.

 

“To help prevent something like this from happening in the future, Tulane has worked closely with Oracle and third-party cybersecurity vendors to ensure the aforementioned vulnerability has been eliminated,” the university added.

 

The educational institution has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

A large number of organisations have reported breaches tied to the zero day vulnerability in the Oracle E-Business Suite, including GlobalLogic (Hitachi Group), Cox Enterprises, The Washington Post, Allianz UK, Sato Corporation, Envoy Air, and NHS England, all of which experienced various levels of data exposure or unauthorised access. 

 

Oracle released emergency patches to fix the zero-day flaw and urged customers to update immediately, though some of the initial fixes proved ineffective and required additional urgent updates.