UPenn Hit by Major Data Breach Linked to Oracle Zero-Day Exploit

The University of Pennsylvania reported that in August, cyber criminals exploited a zero-day vulnerability in Oracle E-Business Suite, compromising the personal information of its students and staff.

 

In a data security incident notice filed with the Office of Maine Attorney General, Penn said that it uses the Oracle EBS to manage critical internal operations, including human resources, finance, and other functions. 

 

After becoming aware of the zero-day vulnerability in the software, Penn immediately launched an investigation—supported by external cybersecurity experts—to determine the nature and scope of the incident.

 

“In the course of Penn’s own investigation, we discovered that some data from Penn’s Oracle EBS had been obtained without authorisation,” the University said.

 

The compromised data included names and other personal identifiers including Social Security numbers. The filing with the Maine state regulator’s office also states that Penn has identified at least 1,488 Maine residents affected by the incident.

 

Penn has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered two years of complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

The University of Pennsylvania disclosed another breach in October where threat actors gained unauthorised access to information systems related to its development and alumni activities. The breach was caused by a sophisticated social engineering attack that compromised a university employee’s PennKey single sign-on (SSO) account.

 

The attackers gained access to several internal systems—including VPN, Salesforce, Qlik analytics, SAP, and SharePoint—and exfiltrated sensitive data belonging to roughly 1.2 million students, alumni, and donors. The compromised information reportedly includes names, dates of birth, contact details, estimated net worth, donation histories, and various demographic details.

 

They also leveraged the university’s Salesforce Marketing Cloud to send offensive and fraudulent emails to approximately 700,000 individuals across the university community. In addition, the attackers released a 1.7 GB archive containing spreadsheets, donation records, and other files allegedly obtained from SharePoint and Box.