The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. The breach is part of a larger extortion campaign by the Clop ransomware gang, which exploited a zero-day flaw to steal sensitive files from many organizations’ Oracle EBS platforms.
According to Penn’s breach notification letter, the attackers obtained data without authorization and stole files containing personal identifiers of impacted individuals. However, the exact number of people affected is unknown as the university has not disclosed this information yet.
Penn did inform the Maine Office of Attorney General that the threat actors stole names or other personal identifiers from 1,488 individuals. The university states it has found no evidence that any of the stolen data will be publicly disclosed or misused for fraudulent purposes.
The incident is part of a larger campaign by Clop, which also targeted Harvard University, The Washington Post, and several other organizations. Clop published the stolen data on its dark web leak site and made it available for download via Torrent.
While Penn has implemented patches to resolve the vulnerability, it remains unclear whether any of the stolen information will be publicly disclosed or misused. The university is in the process of directly notifying affected individuals.
Source: https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack