The University of Pennsylvania has become the latest victim of Clop’s smash-and-grab spree against Oracle’s E-Business Suite (EBS) customers, with the Ivy League school now warning more than a thousand individuals that their personal data was siphoned from its systems.
In a data breach notification letter filed with Maine’s attorney general, Penn says attackers exploited a zero-day in Oracle’s EBS – the same flaw Clop boasted about abusing to raid hundreds of organizations worldwide – and made off with data stored inside the university’s instance of the platform, which it uses to process “supplier payments, reimbursements, general ledger entries, and to conduct other University business.”
Penn launched an investigation, patched its systems after Oracle issued fixes, and alerted federal law enforcement. The university says it discovered on November 11 that personal data had been stolen from its systems.
The notification, filed on December 1, confirms that 1,488 Maine residents were among those caught up in the haul, though it offers no total victim count. The description of the compromised data is conspicuously redacted in the template sent to regulators, leaving it unclear what categories of personal information were taken. The Register asked Penn for more details, but did not receive a response by the time of publication.
Penn’s disclosure lands just a week after Dartmouth College confirmed that it too fell prey to the same Oracle EBS zero-day. In its own filing, the fellow Ivy League school said malicious actors had accessed files tied to procurement and payment systems, continuing a pattern first seen when the gang began leaking samples from breached Oracle EBS deployments earlier this year.
At the time, Clop bragged about exploiting unpatched Oracle EBS servers at scale, leaking samples from dozens of allegedly breached organizations. According to security boffins, the Russia-linked crew has been raiding Oracle EBS installations since early August, long before the database giant rushed out a fix for the vulnerability, tracked as CVE-2025-61882, on October 4.
Penn’s letter follows the same playbook seen in other academic disclosures: an admission of unauthorized access to Oracle EBS data, assurances that there’s “no evidence” of misuse, and an offer of two years of Experian credit monitoring services. The university says it has “no reason to believe” the stolen information has been publicly disclosed or used for fraud, though it is telling recipients to keep an eye on their financial statements and government correspondence, just in case.
The notice also states that Penn is working with cybersecurity experts to “reinforce our systems to mitigate the risk of future unauthorized access,” and that it continues to cooperate with a federal investigation into the breach. As with similar victims, the letter stresses that Oracle’s patches have now been applied.
Whether Penn’s missing totals and redacted data categories signal a particularly messy cleanup remains to be seen. For now, the university joins a growing list of EBS customers picking through the debris of Clop’s latest industrial-scale harvest. ®
