The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August.
The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025.
The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn's development and alumni activities. The attacker claimed they exfiltrated personal information belonging to roughly 1.2 million students, alumni, and donors.
In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty.
Penn's Oracle EBS breach
In a breach notification letter filed with the office of Maine's Attorney General this week, Penn noted that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals.
However, the number of people potentially impacted by the incident is likely much larger, seeing that the school has yet to disclose the exact number of individuals whose data was compromised in the attack.
"In the course of Penn's own investigation, we discovered that some data from Penn's Oracle EBS had been obtained without authorization. We then initiated a detailed review to determine whether any personal information was involved and to identify the affected individuals," the university told those affected by the data breach.
"On November 11, 2025, Penn determined that your personal information was among the information obtained from Oracle EBS."
While the types of data exposed in the breach are censored in the filed notification letters, Penn did inform the Maine OAG that the threat actors stole files containing the names or other personal identifiers of impacted people.
... continue reading