The University of Pennsylvania and the University of Phoenix confirm they were hit in the Oracle E-Business Suite hacking campaign.
The University of Pennsylvania (Penn) and the University of Phoenix confirmed they were hit in the recent cyberattack targeting Oracle E-Business Suite customers.
Penn explained that it uses Oracle’s E-Business Suite (EBS) platform for supplier payments, reimbursements, ledger entries, and other business operations. After Oracle announced that the flaw could enable unauthorized access, affecting hundreds of organizations worldwide, Penn launched an immediate investigation with cybersecurity experts and notified federal law enforcement.
During the investigation, Penn confirmed that data from its Oracle EBS environment had been accessed without authorization. The University then conducted a detailed review to determine whether personal information was involved. On November 11, 2025, Penn concluded that the recipient’s personal data was among the information taken.
The University of Pennsylvania is notifying impacted individuals, however it did now disclose the total number of affected people.
“Based on our review of the data, we have determined that the impacted information included XXXXXXXX.” reads the data breach notification shared with the Maine Attorney General. “We have found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes, or otherwise used in a way that could harm you as a result of this incident.”
The university is providing impacted individuals with access to complimentary Experian credit monitoring and remediation services for 24 months at no charge to them.
The University of Phoenix also disclosed a data breach through Phoenix Education Partners.
“The University of Phoenix, Inc., a subsidiary of Phoenix Education Partners, Inc. (including the University, the “Company”), recently experienced a cybersecurity incident involving the Oracle E-Business Suite software platform (“Oracle EBS”). The Company is one of a number of organizations, including other academic institutions, from which an unauthorized third-party exfiltrated data by exploiting a previously unknown software vulnerability in Oracle EBS. The incident did not impact the business operations or student programming of the Company.” reads a FORM 8-K filed with SEC.
“While the investigation remains ongoing, at this time, the Company believes that the software vulnerability was used in August 2025 to copy certain data maintained in the Company’s Oracle EBS environment.”
“The Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers, with respect to numerous individuals was accessed without authorization.” The University of Phoenix added.
Several universities have been affected by the same Oracle’s E-Business Suite (EBS) campaign, including the prestigious Harvard.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)