University of Pennsylvania joins list of victims from Clop's Oracle EBS raid

The University of Pennsylvania has become the latest victim of Clop's smash-and-grab spree against Oracle's E-Business Suite (EBS) customers, with the Ivy League school now warning more than a thousand individuals that their personal data was siphoned from its systems.

In a data breach notification letter filed with Maine's attorney general, Penn says attackers exploited a zero-day in Oracle's EBS – the same flaw Clop boasted about abusing to raid hundreds of organizations worldwide – and made off with data stored inside the university's instance of the platform, which it uses to process "supplier payments, reimbursements, general ledger entries, and to conduct other University business."

Penn launched an investigation, patched its systems after Oracle issued fixes, and alerted federal law enforcement. The university says it discovered on November 11 that personal data had been stolen from its systems.

The notification, filed on December 1, confirms that 1 ...