Penn is investigating a cybersecurity breach of its Oracle E-Business Suite servers that compromised the personal information of University-affiliated individuals across multiple states.
The breach — identified by the University in November — exploited the business software Penn uses to manage internal operations, according to letters filed with attorneys general in multiple states. Penn is in the process of notifying individuals whose personal information was compromised by the incident, according to a University spokesperson.
“The University of Pennsylvania was one of nearly 100-already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,” the spokesperson wrote in a statement to The Daily Pennsylvanian.
Penn has implemented “the patches that Oracle issued to resolve the vulnerability” and “has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes,” the statement added.
In a Dec. 1 letter notifying impacted individuals, Penn wrote that its investigation — assisted by federal law enforcement and cybersecurity experts — discovered that “some data from Penn’s Oracle EBS had been obtained without authorization.”
It remains unclear how many individuals were affected. According to information filed with the Office of the Maine Attorney General, the breach affected 1,488 state residents.
“Penn takes this incident very seriously and sincerely apologizes to everyone affected,” Penn’s letter read. “Protecting our community is of utmost importance, and we are committed to maintaining the privacy and security of your information.”
The November breach, first reported by BleepingComputer, followed a separate cybersecurity breach of an account affiliated with Penn’s Graduate School of Education that occurred in October. Hackers claiming responsibility for that breach alleged that they obtained data from 1.2 million students, alumni, and donors. Penn said that figure is “overstate[d].”
Penn has launched an investigation into the October hack and reported the incident to the Federal Bureau of Investigation. Several alumni have filed class-action lawsuits against the University following the October breach, alleging Penn did not sufficiently protect their personal data.
Several other Ivy League institutions have been affected by data breaches in recent months. In late November, donor records from Harvard University were accessed, and a similar database at Princeton University was also compromised.
Dartmouth College and Harvard were also affected by the Oracle hack.
