Overview
- Penn’s filing in Maine confirms 1,488 state residents were affected, with the total number of victims and specific data types not disclosed due to redactions.
- The attack leveraged a previously unknown Oracle EBS vulnerability now tracked as CVE-2025-61882, which researchers say was exploited at scale before Oracle issued a fix on October 4.
- The university determined on November 11 that personal information was taken and says it has found no evidence of misuse or public disclosure.
- Penn says it applied Oracle’s patches, engaged cybersecurity experts, notified federal law enforcement, and is offering two years of Experian credit monitoring.
- The breach aligns with a wider data‑theft and extortion campaign reported to involve Clop and affecting organizations including Dartmouth, Harvard, The Washington Post, Logitech, Envoy Air, and GlobalLogic.