The University of Pennsylvania (UPenn) has confirmed that it suffered a data breach last month, making it the second Ivy League school to face an intrusion in just a few weeks. Princeton and Columbia were also breached earlier this year.
The prestigious school was impacted via the Oracle E-Business Suite (EBS) vulnerability, which affected multiple organizations worldwide, UPenn’s data breach notice reads.
“Upon learning of potential unauthorized access to Oracle EBS, Penn immediately launched an investigation with the assistance of cybersecurity experts,” the school told potentially impacted individuals.
After a data review, UPenn discovered that some of its data from Oracle EBS was taken without authorization, which, in essence, translates to a hacker attack. According to the school, it utilized Oracle EBS “to process supplier payments, reimbursements, general ledger entries, and to conduct other University business.”
According to information that UPenn submitted to the Maine Attorney General’s Office, nearly 1,500 Maine individuals had their details exposed, which suggests that the scope of the data leak is likely much larger on a national level.
We have reached out to UPenn for comment, however the university was unable to share much beyond what was already included in the data breach notice.
“The University of Pennsylvania was one of nearly 100-already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system. Penn has implemented the patches that Oracle issued to resolve the vulnerability. We are in the process of directly notifying individuals whose personal information was involved as a result of this incident, in accordance with applicable laws and regulations. Importantly, Penn has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes,” UPenn’s spokesperson explained.
The publicly accessible breach notice did not disclose the type of data exposed in the attack.
Cl0p’s Oracle data breach
Interestingly, the vast majority of organizations impacted via the Oracle EBS breach had their details stolen by the Cl0p ransomware cartel, whose affiliates are behind the attack. The initial Cl0p exploit, first reported by Oracle on October 2nd, had been tracked by Google researchers as far back as July.
Cl0p has been on a hacking spree for months, constantly uploading new victims that were breached using the EBS bug. Oracle itself was listed on the gang’s dark web forum. However, as of the time of writing, UPenn is not listed on the gangs’ dark web forum.
UPenn’s absence from Cl0p’s dark web forum could mean many things. The gang may have deemed the data to be unimportant, but that’s highly unlikely. Attackers usually publish victimized organizations in batches, and UPenn may not be at the top of their list. Another possibility is that their ransom demands were met.
According to UPenn’s data breach notice, the school will offer impacted individuals up to two years of complimentary credit monitoring and identity theft protection services. This points to attackers accessing personal identifiable information (PII) that attackers can utilize to set up fraudulent accounts or impersonate the data’s owners.
Universities under fire
Barely a month has passed since the last time UPenn was under digital fire. Hours before Halloween, current and former students, faculty, parents, and some external individuals received mass emails criticizing the university’s practices in an apparent security breach.
Letters were sent using an email account tied to a senior systems administrator. UPenn later commented, saying that the message is fake and the University’s Office of Information Security and Incident Response team is actively addressing the issue.
UPenn is not the first Ivy League school to attract hacker attention in recent months. In late August, Columbia University experienced a similar attack, which exposed nearly 900,000 people, also including many of the past alumni.
Meanwhile, in late November, Princeton University, one of the world’s most prestigious universities, admitted that a data breach exposed the details of every person who has ever graduated or enrolled at the Ivy League school.
Updated on December 2nd [02:05 p.m. GMT] with a statement from University of Pennsylvania.
Vilius Petkauskas is a deputy editor at Cybernews. Vilius brings over a decade of experience in journalism to his role at Cybernews. He oversees content quality, topic pitching and research article development. Before joining Cybernews, Vilius sharpened his pen as a journalist for both print and online media, covering a diverse range of topics from local business to international politics.
Your email address will not be published. Required fields are markedmarked