University of Pennsylvania reports data breach caused by Oracle E-Business Suite exploit

The University of Pennsylvania is reporting a data breach caused by an exploit of a vulnerability in its Oracle E-Business Suite (EBS) servers 

The breach enabled hackers to steal personal information from approximately 1,488 individuals in August 2025. The attack exploited CVE-2025-61882 (CVSS score 9.8),

On November 11, 2025, Penn confirmed that personal information was among the data stolen from its Oracle EBS servers. The exact number of affected individuals may be significantly larger than the initially disclosed 1,488 people, as the university has not provided a full count.

The compromised information includes:

• Names
• Social Security numbers
• Other personal identifiers (specific data types have been censored in filed notification letters)

Penn spokesperson confirmed that the university was one of nearly 100 organizations impacted by the widely exploited Oracle E-Business Suite incident. The university has since implemented patches that Oracle issued to resolve the vulnerability and emphasized that no University systems outside of Oracle's E-Business Suite were compromised. 

The university is working with third-party cybersecurity experts including CrowdStrike, and cooperates with federal law enforcement including the FBI in the ongoing investigation.

Update - as of 5th of February 2026, ShinyHunters apparently published the stolen data from the University of Pennsylvania.