CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Clop extortion campaign targets Oracle E-Business Suite

First reported
Last updated
4 unique sources, 26 articles

Summary

Hide ▲

The Clop ransomware gang’s ongoing extortion campaign targeting Oracle E-Business Suite (EBS) has expanded to include the **University of Phoenix**, which disclosed a breach on December 3, 2025, after detecting unauthorized access on November 21. The attackers exploited the zero-day vulnerability **CVE-2025-61882** to steal sensitive personal and financial data—including names, Social Security numbers, and bank account details—from students, staff, and suppliers. The university joins a growing list of over 100 organizations victimized in this campaign, including Harvard University, the University of Pennsylvania, GlobalLogic, Logitech, The Washington Post, and American Airlines subsidiary Envoy Air. Many victims have had their data leaked on Clop’s dark web site, though the University of Phoenix has not yet confirmed whether its stolen data has been publicly released. The campaign began in **early August 2025**, with Clop leveraging the zero-day flaw to bypass authentication in Oracle EBS and exfiltrate data before Oracle released an emergency patch in October. While some organizations like GlobalLogic and Cox Enterprises have had terabytes of data leaked, others—including the University of Phoenix and the University of Pennsylvania—remain in negotiation or have not yet appeared on Clop’s leak site. Oracle’s patch and subsequent advisories from CISA and the UK’s NCSC urge immediate mitigation, but the scale of the campaign suggests widespread exploitation prior to remediation. The Clop gang, known for its history of targeting zero-day vulnerabilities in enterprise software (e.g., MOVEit, GoAnywhere, Accellion), continues to pressure victims with extortion demands, though the full scope of compromised data and affected individuals across all organizations remains under investigation.

Timeline

  1. 03.12.2025 13:30 2 articles · 1d ago

    University of Phoenix confirms data breach after Oracle EBS hack

    The University of Phoenix disclosed a data breach on **December 3, 2025**, after detecting unauthorized access on **November 21, 2025**—the same day the Clop extortion gang added it to its dark web leak site. The attackers exploited the **zero-day vulnerability CVE-2025-61882** in Oracle E-Business Suite to steal sensitive personal and financial data, including **names, contact information, dates of birth, Social Security numbers, and bank account/routing numbers** belonging to current/former students, employees, faculty, and suppliers. The university announced the breach via its official website and an **SEC 8-K filing** by its parent company, Phoenix Education Partners. Affected individuals will receive breach notification letters via US Mail, though the total number of victims and whether the stolen data has been publicly leaked remain undisclosed. This incident is part of the **Clop ransomware gang’s broader extortion campaign**, which has targeted over 100 organizations since August 2025 by exploiting the same Oracle EBS zero-day. Other confirmed victims in the campaign include Harvard University, the University of Pennsylvania, GlobalLogic, Logitech, The Washington Post, and American Airlines subsidiary Envoy Air.

    Show sources
    Open in new tab
  2. 02.12.2025 14:55 2 articles · 2d ago

    University of Pennsylvania confirms data breach after Oracle EBS hack

    The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August 2025. The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn's development and alumni activities. In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty. The University of Pennsylvania disclosed that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals. The number of people potentially impacted by the incident is likely much larger, seeing that the school has yet to disclose the exact number of individuals whose data was compromised in the attack. The University of Pennsylvania informed the Maine Office of the Attorney General that the threat actors stole files containing the names or other personal identifiers of impacted people. The University of Pennsylvania has yet to find evidence that any of the stolen information has been misused or leaked online since the attack. The University of Pennsylvania has yet to attribute the breach, but based on the details shared in the breach notification letters, the incident is part of a larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) to steal sensitive files from many organizations' Oracle EBS platforms since early August 2025. Clop has yet to add the University of Pennsylvania to its leak site, suggesting the university is either still negotiating with the threat group or has already paid a ransom.

    Show sources
    Open in new tab
  3. 17.10.2025 22:11 1 articles · 1mo ago

    Clop ransomware operation history of exploiting zero-day vulnerabilities

    The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 when it began breaching corporate networks to deploy a variant of the CryptoMix ransomware and steal data. Since 2020, the extortion gang shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data. Notable campaigns include exploiting zero-days in Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer products.

    Show sources
    Open in new tab
  4. 13.10.2025 14:14 3 articles · 1mo ago

    Clop extortion gang lists Harvard University in data leak site

    The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.

    Show sources
    Open in new tab
  5. 06.10.2025 04:37 8 articles · 1mo ago

    Oracle patches zero-day vulnerability exploited in Clop data theft attacks

    The campaign followed months of intrusion activity targeting EBS customer environments, dating as far back as July 10, 2025. After Oracle released a Critical Patch Update in July 2025, which addressed nine flaws affecting EBS, Mandiant observed more likely exploitation attempts. Threat actors began exploiting the zero-day CVE-2025-61882 against Oracle EBS customers as early as August 9, 2025, weeks before a patch was made available. GTIG assessed that Oracle EBS servers updated through the patch are likely no longer vulnerable to known exploitation chains. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025.

    Show sources
    Open in new tab
  6. 02.10.2025 06:13 25 articles · 2mo ago

    Clop extortion emails claim theft of Oracle E-Business Suite data

    Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available. Cox Enterprises detected a data breach in late September 2025, which occurred between August 9-14, 2025, due to a zero-day vulnerability in Oracle E-Business Suite. The Cl0p ransomware gang has taken credit for exploiting CVE-2025-61882 as a zero-day vulnerability in Oracle E-Business Suite. The threat actor added Cox Enterprises to their data leak website on the dark web on October 27 and published the stolen information. Cl0p listed 29 new companies as their victims earlier today, including major organizations in the automotive, software, and technology sectors. Cox Enterprises is offering identity theft protection and credit monitoring services through IDX at no cost for 12 months to 9,479 impacted individuals. Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. The incident is limited to a subsidiary of Canon U.S.A., Inc., and only affected the web server. Canon has taken security measures and resumed service, but is continuing to investigate further to ensure that there is no other impact. No Canon data has been leaked at the time of writing. Canon was previously targeted in a ransomware attack back in 2020, where hackers stole employee information from the firm’s systems. More than 100 organizations have been named to date on the Cl0p ransomware website as alleged victims of the campaign. Nearly half of the named organizations are major companies in sectors such as IT and telecoms, heavy industry and manufacturing, healthcare and pharma, retail, automotive and transportation, media, and energy and utilities. The United Kingdom’s National Health Service (NHS) is conducting an investigation but has yet to confirm a data breach. The list of big companies that have yet to publicly confirm a data breach includes Michelin, Broadcom, and Bechtel. Cl0p has been the public-facing group to take credit for the Oracle campaign, but an unknown cluster of a threat actor tracked as FIN11 is believed to be behind the attacks. FIN11 conducted similar campaigns targeting other widely used enterprise products in the past. Organizations are typically not listed on the Cl0p website without cause, but the actual scope of the breach may be exaggerated by the threat actors. Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals. The total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General. "Through the investigation, we determined that an unauthorized actor took certain files between August 9, 2025, and August 12, 2025. We reviewed the files and on October 30, 2025, identified one or more that contained your name and Social Security number," the college says in letters mailed to those affected by the data leak. In a separate appendix filed with Maine's AG, Dartmouth added that the threat actors also stole documents containing the financial account information of impacted individuals. A Dartmouth College spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today regarding the ransom demanded by the Clop gang and the total number of individuals impacted by the breach. The incident is part of a much larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims' Oracle EBS platforms. While Clop has yet to disclose the total number of impacted organizations, Google Threat Intelligence Group chief analyst John Hultquist has told BleepingComputer that dozens of organizations were likely breached. The extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air in this campaign, with their data also leaked online and now available for download via Torrent. The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August 2025. The University of Pennsylvania disclosed another breach in late October 2025, after a hacker compromised internal systems and stole data on Penn's development and alumni activities. In recent weeks, other Ivy League schools have been targeted by a series of voice phishing attacks, with Harvard University and Princeton University also reporting that a hacker breached systems used for development and alumni activities to steal the personal information of students, alumni, donors, staff, and faculty. The University of Pennsylvania disclosed that the attackers exploited a previously unknown security vulnerability in the Oracle E-Business Suite (EBS) financial application (also known as a zero-day flaw) to steal the personal information belonging to 1,488 individuals. The number of people potentially impacted by the incident is likely much larger, seeing that the school has yet to disclose the exact number of individuals whose data was compromised in the attack. The University of Pennsylvania informed the Maine Office of the Attorney General that the threat actors stole files containing the names or other personal identifiers of impacted people. The University of Pennsylvania has yet to find evidence that any of the stolen information has been misused or leaked online since the attack. The University of Pennsylvania has yet to attribute the breach, but based on the details shared in the breach notification letters, the incident is part of a larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) to steal sensitive files from many organizations' Oracle EBS platforms since early August 2025. Clop has yet to add the University of Pennsylvania to its leak site, suggesting the university is either still negotiating with the threat group or has already paid a ransom. The University of Phoenix has also disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The University of Phoenix disclosed the incident through its parent company, Phoenix Education Partners, in a filing with the Securities and Exchange Commission. A probe showed that the hackers gained access to information such as name, contact details, dates of birth, Social Security numbers, and bank account information. While for many of the victims the hackers have made public hundreds of gigabytes and even terabytes of data allegedly stolen from their systems, no University of Phoenix data appears to have been released. The cybercriminals have yet to name the University of Pennsylvania as a victim of the Oracle hack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Mixpanel Data Breach Exposes OpenAI API User Information

OpenAI has disclosed that a data breach at Mixpanel, a third-party analytics provider, exposed limited customer identifiable information and analytics data of some OpenAI API users. The breach occurred between November 9 and 25, 2025, and resulted from a smishing (SMS phishing) campaign detected on November 8, 2025. Affected data includes names, email addresses, approximate locations, operating systems, browsers, referring websites, and organization or user IDs associated with API accounts. OpenAI has removed Mixpanel from its services and is conducting additional security reviews across its vendor ecosystem. The company is notifying potentially affected users and advising them to be vigilant against phishing and social engineering attacks. OpenAI emphasized that no chat content, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised. CoinTracker, a cryptocurrency portfolio tracker and tax platform, has also been impacted, with exposed data including device metadata and limited transaction count.

Open in new tab

Cyber Incident Affects Multiple London Councils

Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday morning. The incident has impacted several systems, including phone lines, and both councils have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response. RBKC and WCC share IT systems and services, which may explain the simultaneous impact. Hammersmith and Fulham Council is also reportedly affected. RBKC confirmed that some data has been copied and taken away, potentially impacting historical data. The councils have invoked business continuity and emergency plans to ensure critical services are maintained, focusing on supporting the most vulnerable residents. RBKC's IT team worked throughout the night to implement mitigations. Additionally, Hackney Council raised internal cybersecurity threat levels to 'critical' and warned staff about phishing attacks, despite not being directly affected by this incident. RBKC expects at least two weeks of continued disruption as they bring services back online. Westminster City Council confirmed the disruption would last for several weeks, though most services are still running. Hammersmith and Fulham Council has taken steps to isolate and safeguard its networks, with some systems still unavailable.

Open in new tab

Princeton University Database Compromised in Phishing Attack

On November 10, 2025, Princeton University suffered a data breach after a phishing attack targeted an employee. The breach exposed personal information of alumni, donors, faculty, and students, including names, email addresses, phone numbers, and home and business addresses. The compromised database did not contain financial information, credentials, or records protected by privacy regulations. The university has since blocked the attackers' access and advised affected individuals to be cautious of phishing attempts. On November 18, 2025, Harvard University experienced a similar data breach due to a voice phishing attack. The breach exposed personal information of students, alumni, donors, staff, and faculty members. The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information. Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and has sent data breach notifications to affected individuals. The breach was discovered on November 18, 2025, and involved unauthorized access to systems used by Harvard's Alumni Affairs and Development department. Harvard University is also one of the many victims of the recent Oracle E-Business Suite hacking campaign.

Open in new tab

Discord Breach Highlights Risks of Mandated ID Data Collection

In October 2025, Discord disclosed a breach affecting a third-party customer service provider, exposing personal data, including government-issued identification documents. The breach underscores the security risks posed by legal mandates requiring organizations to collect and store sensitive ID data, which they may lack the infrastructure to protect effectively. The incident highlights the challenges faced by managed service providers (MSPs) in securing client data across multiple regulatory environments, emphasizing the need for integrated security solutions to mitigate risks.

Open in new tab

University of Pennsylvania suffers email compromise and harassment campaign

The University of Pennsylvania (Penn) experienced a cybersecurity incident where offensive emails were sent from compromised Penn email addresses. The emails claimed that data was stolen in a breach and criticized the university's security practices and admission policies. The incident involved various Penn email addresses, including those from the Graduate School of Education and other university employees. The emails were sent via 'connect.upenn.edu,' a Penn mailing list platform hosted on Salesforce Marketing Cloud. Penn's Incident Response team is addressing the breach, and the university has warned recipients to disregard the emails. The emails were sent on Friday, October 31, 2025.

Open in new tab