Executive Summary
The University of Pennsylvania (Penn) experienced a sophisticated “one-two punch” cyberattack in late 2025. Now it serves as a critical case study for the “Assume Breach” security philosophy. Within a single month, the institution was struck by two distinct attack vectors. It proved that high-value targets are often subject to persistent, multi-layered threats.
The Incidents
Breach A (October 2025): Attackers utilized social engineering to hijack a PennKey Single Sign-On (SSO) account. By bypassing Multi-Factor Authentication (MFA) on accounts. The said account had “convenience exemptions.” The actors moved laterally to compromise SharePoint, alumni databases, and Salesforce Marketing Cloud.
Breach B (November 2025): While the university was in the recovery phase, the Clop ransomware group exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite (EBS). This technical exploit allowed for Remote Code Execution (RCE) and direct data theft from core financial and supplier systems without requiring credentials.
Impact and Disclosure
The breach resulted in the exposure of sensitive Personally Identifiable Information (PII). Which belonged to approximately 1,500 individuals. Primarily hackers got access within donor and alumni records. The incident became public through a three-wave disclosure. Initially, “appetizer leaks” and mass mockery emails sent. Afterwards there was a discovery on the Dark Web by security researchers. At last university officially confirmed it on November 5, 2025.
Response and Mitigation
Penn’s response strategy focused on containment and remediation:
Immediate Lockdown: Compromised PennKey accounts were locked, and affected Oracle EBS servers were disconnected from the internet.
Technical Fixes: An emergency critical patch from Oracle was applied to close the zero-day vulnerability.
External Collaboration: The university partnered with the FBI and CrowdStrike for digital forensics and a federal probe.
Victim Support: Affected individuals were provided with 24 months of credit monitoring services.
Strategic Lessons
The dual-breach highlights the danger of the “Convenience Gap,” where VIP MFA exemptions create “Golden Tickets” for intruders. Moving forward, the university and similar institutions must adopt Identity-First Security and Zero-Trust Architecture. Key preventive measures include universal MFA enforcement, network micro-segmentation to prevent lateral movement, and the deployment of Web Application Firewalls (WAF) for virtual patching against future zero-day exploits.
Introduction
The 2025 University of Pennsylvania (Penn) cybersecurity incident serves as a textbook example of the “Assume Breach” philosophy. Over roughly one month, one of the world’s leading research institutions was hit by two distinct, back-to-back cyberattacks. These breaches targeted different application vectors: one human-centric (SSO) and one technical (Zero-Day), illustrating that modern threat actors often strike the same target repeatedly until they find a path to high-value data.
What Happened?
The University of Pennsylvania suffered two major security compromises in late 2025:
Breach A (October 2025)
In a concerning security breach, attackers compromised a PennKey Single Sign-On (SSO) account through advanced social engineering tactics. Through various manipulative techniques, they deceived individuals into revealing their credentials. Once they gained access to the SSO account, the attackers were able to navigate laterally into a range of sensitive internal systems. This included critical platforms such as Salesforce Marketing Cloud, where valuable customer data is stored, and SharePoint, which houses important organizational documents and resources. Furthermore, their infiltration extended to alum databases, raising significant concerns about the protection of former students’ personal information. The sophistication of this attack underscores the importance of vigilance and robust security measures in safeguarding sensitive data against such threats.
Breach B (November 2025): Oracle E-Business Suite Exploit.
The Clop ransomware group exploited a significant security vulnerability (CVE-2025-61882) in the Oracle E-Business Suite (EBS) used by the university. This critical zero-day exploit emerged just as the institution was still recovering from a previous cyber incident. The Oracle E-Business Suite, a vital application for managing the university’s financial operations, including supplier payments and donor record maintenance, was particularly attractive to cybercriminals because of the sensitive data it handles. The exploitation of this flaw enabled attackers to gain unauthorized access, potentially compromising crucial financial information and disrupting essential services underpinning the university’s operations.
How the Incident Occurred (Technical Breakdown)
The dual breach was a “one-two punch” utilizing two different attack surfaces:
Vector | Method | Impact |
Identity (SSO) | Social Engineering & MFA Bypass | Attackers impersonated high-ranking officials. They bypassed Multi-Factor Authentication (MFA) on specific accounts that reportedly had “MFA exemptions,” allowing them to send mass emails to 700,000+ affiliates and export donor files. |
Application (Zero-Day) | Remote Code Execution (RCE) | The Clop group used a pre-authentication RCE flaw in the Oracle EBS “BI Publisher” component. They sent crafted HTTP requests to bypass security and execute SQL injection, allowing them to steal data without needing any credentials. |
Who Reported the Incident?
The reporting happened in three waves:
The Attackers
In a calculated effort to inflict maximum humiliation, the hackers orchestrated a mass email campaign from official @upenn.edu addresses, targeting both students and alums of the University of Pennsylvania. The email, humorously dubbed an “appetizer leak,” not only spilt sensitive information but also ridiculed the university’s security protocols, highlighting vulnerabilities in a manner that left recipients both shocked and incredulous. This audacious act not only questioned the integrity of the institution’s cybersecurity measures but also sparked widespread concern about the protection of personal data within the university community.
Cybersecurity Researchers
Intelligence agencies, including notable teams such as Kaduu and BleepingComputer, have uncovered a significant security breach involving a stolen database. This illicit database is currently being traded on various Dark Web platforms, specifically on forums like Darkforums.st, where cybercriminals frequently trade sensitive information. The discovery underscores the ongoing challenges of cybersecurity and the vulnerabilities that many organizations face in protecting their data from malicious actors.
The University
On November 5, 2025, the University of Pennsylvania officially acknowledged a significant data breach that had compromised sensitive information. The announcement followed a thorough internal investigation conducted with the assistance of the FBI and cybersecurity firms, including the well-regarded CrowdStrike. This collaboration aimed to assess the extent of the breach, identify the vulnerabilities that led to it, and protect the integrity of the university’s data systems going forward.
How the University Responded
Penn’s response focused on rapid containment and transparent (though delayed) communication:
System Lockdown
As soon as the breach was identified, the IT team swiftly implemented security measures, locking down the compromised PennKey accounts to prevent further unauthorized access. Concurrently, they took immediate action to isolate the affected Oracle E-Business Suite (EBS) servers by disconnecting them from the internet, effectively containing the threat and safeguarding the company’s data integrity. This prompt response highlighted the team’s commitment to maintaining security and protecting sensitive information during a critical incident.
Legal & Forensic Support
The organization sought the expertise of CrowdStrike, a leading cybersecurity firm known for its digital forensics capabilities, to conduct a thorough investigation into the incident. In addition, they promptly notified federal law enforcement agencies to ensure the breach was addressed with appropriate legal and security measures in place.
Remediation
In late 2025, Oracle released a crucial security patch to address significant vulnerabilities in its software applications. Recognizing the urgency and importance of this update, Penn took immediate action to implement the patch across their systems, ensuring enhanced protection and stability for their operations.
Victim Support
The university has taken proactive measures by providing a comprehensive two-year identity theft protection and credit monitoring service through Experian. This initiative aims to support nearly 1,500 individuals whose personally identifiable information (PII) has been definitively confirmed as compromised. The protection service will include monitoring credit reports, alerting individuals to any suspicious activity, and assisting in restoring their identity in the event of theft, ensuring that those affected have the resources necessary to safeguard their financial well-being.
Preventive & Protective Measures
To have prevented this, or to protect against future strikes, the following measures are critical:
Eliminate MFA Exemptions
The recent breach of the Single Sign-On (SSO) system highlights a critical vulnerability: certain high-level accounts were granted exemptions from Multi-Factor Authentication (MFA) under the guise of “convenience.” This lack of rigorous security protocols allowed unauthorized access to sensitive information. Adopting a zero-trust security model requires implementing MFA for all users, regardless of their position or level of authority within the organization. This approach ensures that every individual, whether an entry-level employee or a senior executive, must verify their identity through multiple authentication methods, significantly reducing the risk of similar breaches in the future.
Egress Filtering & Micro-segmentation
Isolating the alum database from the broader campus network could have effectively prevented unauthorized lateral movement within the system. By implementing a dedicated and secure segmentation strategy, potential intruders would have faced significant barriers when attempting to navigate between networks. This separation would limit access to sensitive information, protecting the integrity of alum data while safeguarding the entire campus infrastructure from malicious activity.
WAF (Web Application Firewall) Rules
Implementing a Web Application Firewall (WAF) equipped with virtual patching capabilities would have been instrumental in intercepting and blocking the distinctive HTTP request patterns exploited in the recent zero-day attack targeting Oracle E-Business Suite (EBS). This proactive defence mechanism could have effectively shielded vulnerable applications by analyzing incoming traffic for known threats, even before Oracle released the official security patch. By leveraging virtual patching, organizations can safeguard their systems from exploitation, minimize potential damage, and secure sensitive data against this specific attack vector.
Threat Hunting
Implementing a routine that involves meticulous scanning for “Cobalt Strike” beacons,specifically the indicators of compromise associated with this sophisticated penetration testing tool,could have significantly accelerated the detection of the breach. These beacons serve as a crucial element for attackers seeking to establish persistence within a compromised network. By identifying these signals earlier, organizations could have mitigated the extent of the intrusion and limited the attackers’ ability to maintain their foothold in the system.
Key Lessons from the Breach
- “Assume Breach” is a Necessity: The fact that attackers struck twice, using different methods, proves that a single layer of defence is insufficient.
- The “Convenience Gap” is a Security Hole: Exempting executives from security protocols (like MFA) creates a high-value “golden ticket” for hackers.
- Reputational Damage via “Appetizer Leaks”: Attackers no longer just steal data; they use compromised communication tools (email/Slack) to shame the victim publicly, forcing a faster ransom negotiation.
Pro Tip: In the age of zero-days, Patch Management must be paired with Behavioral Analytics (UEBA). If an application suddenly starts “talking” to a known Clop IP address, the system should auto-isolate even if no known vulnerability is being exploited.
Conclusion
The University of Pennsylvania dual-breach is a landmark case highlighting the evolution of modern cyber threats. It proves that persistence is the new standard; attackers do not stop after one successful entry. By hitting the university through its identity provider (SSO) and then its financial core (Oracle EBS), the threat actors demonstrated the critical need for Micro-segmentation and Universal MFA.
For CISOs and IT directors, the takeaway is clear: Security is not a “set it and forget it” task. To protect against “back-to-back” strikes, institutions must adopt a proactive Zero Trust Architecture that monitors for anomalous behavior inside the network just as much as it guards the gates.
D3C Consulting offers complete zero-trust architecture. Talk to our expert
Was student data like grades or transcripts stolen?
Most reports indicate the focus was on Donor Records and Alumni PII (Personally Identifiable Information). While SSO was compromised, there was no widespread evidence of grade manipulation.
Why didn't MFA stop the first attack?
The attackers used a combination of MFA fatigue (bombarding a user with prompts) and exploiting specific high-level accounts that had MFA exemptions for "operational ease."
Who was behind the second attack?
The Clop ransomware group was identified as the primary threat actor behind the Oracle E-Business Suite zero-day exploit.
How can other universities prevent this?
By moving away from "Perimeter Defense" (firewalls) toward Identity-First Security, ensuring no user is trusted by default, regardless of their location on the network.
