News
December 2025 continued the trend of significant and increasingly sophisticated cyberattacks on higher-education institutions around the world. While universities have long been targeted for research and infrastructure exploitation, this month’s wave underscored attackers’ focus on high-value administrative systems, enterprise software vulnerabilities and overlooked repositories containing personal data. The incidents reported this month provide further lessons on the evolving threat landscape and the need for robust, coordinated cyber resilience across academia.
University of Pennsylvania (USA) – Oracle EBS Exploitation
Disclosed: Early December 2025
The University of Pennsylvania confirmed a breach stemming from exploitation of a zero-day vulnerability in Oracle E-Business Suite (EBS), a widely used enterprise resource planning (ERP) platform that many universities rely on for finance, HR and administrative operations.
Attackers leveraged the flaw – later associated with the criminal group Cl0p – to gain unauthorized access to the Oracle EBS environment, enabling them to exfiltrate personal and sensitive information. Early filings indicate that the compromised records include names, Social Security numbers, and other potentially sensitive identifiers belonging to members of the university community.
Penn’s response included immediate containment actions, engagement with third-party incident responders, patching of affected systems and notification to affected individuals. Legal notifications and compliance with regulatory reporting obligations are ongoing.
This breach follows the broader trend seen earlier in 2025, where shared enterprise platforms become focal points for attackers due to their central role in institutional operations and integrated data repositories.
Key points:
- Demonstrates attackers’ shift toward enterprise infrastructure rather than isolated research systems.
- Highlights the cross-institution impact of widely deployed commercial software when vulnerabilities are unpatched.
- Reinforces the importance of continuous monitoring, asset inventory and rapid detection across administrative platforms.
University of Phoenix (USA) – Major Oracle EBS Data Breach
Disclosed: Early December 2025
Also linked to the Oracle EBS vulnerability exploited during the same campaign, the University of Phoenix disclosed one of the largest academic data breaches of 2025. In this incident, attackers gained unauthorized access to the institution’s Oracle EBS deployment, accessing and exfiltrating extensive personal and financial data.
According to regulatory disclosures, the breach affects millions of individuals, including current and former students, staff, faculty and external partners. Compromised data reportedly includes names, dates of birth, Social Security numbers, contact information and bank account details.
The university has initiated notifications, offered credit monitoring and identity protection services, and engaged forensic teams to understand the full scope of the compromise. This incident mirrors similar breaches at Fortune 500 companies and universities that share the same Oracle ERP footprint, demonstrating how a single vendor’s vulnerability can cascade across sectors.
Key points:
- One of the largest academic breaches in terms of records impacted in 2025.
- Highlights systemic risk associated with common enterprise software platforms.
- Shows the potential for delayed detection — the intrusion occurred months before public disclosure.
University of Sydney (Australia) – Data Breach via Development Repository
Disclosed: 18 December 2025
The University of Sydney confirmed a cyber incident involving unauthorized access to an online code repository used for development and testing purposes. Although the repository was not part of the university’s core production environment, it contained historical personal data spanning current and former staff, students and alumni.
Compromised information from the repository included names, dates of birth, contact details, job titles and historical employment data, affecting approximately:
- ~10,000 current staff and affiliates,
- ~12,500 former staff and affiliates,
- ~5,000 alumni and students.
University leadership reported no evidence (as of the latest update) that the exposed data has been publicly disseminated or misused, but they have engaged relevant authorities, blocked unauthorized access, and begun a phased notification process for affected individuals.
This breach demonstrates how non-production systems and development environments, often overlooked in security assessments, can inadvertently expose considerable personal data when access controls and data sanitisation are not rigorously enforced.
Key points:
- Non-production repositories can become entry points with high impact.
- Historical personal data stored outside regulated environments poses additional risk.
- Highlights need for data minimisation and regular auditing of secondary systems.
Oracle EBS Exploitation – A Broader Campaign Context
The Penn and Phoenix incidents in December were part of a broader exploitation campaign targeting Oracle E-Business Suite environments using a zero-day vulnerability first identified earlier in late 2025. This campaign has affected organisations across sectors, including:
- Harvard University (earlier in 2025),
- Dartmouth College,
- Various corporate and public entities utilising Oracle EBS.
Attackers associated with the Cl0p ransomware group claimed responsibility for exfiltrating large volumes of data by chaining the EBS flaw with other intrusion techniques, underscoring how shared, critical enterprise platforms can serve as force multipliers for attackers.
Implications:
- Centralised ERP environments represent systemic risk if not patched and monitored proactively.
- Collaboration among institutions to share Indicators of Compromise (IOCs) and mitigation strategies can reduce dwell time and impact across the sector.
- Vendor-specific exploitation campaigns require rapid, coordinated patch deployment and proactive threat hunting.
Why These Incidents Matter for Academia
- Expanded Target Surfaces
Cybercriminals no longer focus solely on research networks or academic endpoints. Administrative platforms, enterprise systems and auxiliary repositories are now prime targets due to the rich personal and financial data they hold.
- Supply-Chain and Vendor Risk
Exploitation of widely used software like Oracle EBS shows how vulnerabilities in shared enterprise stacks can have multiplying effects across universities and other organisations. Investing in vendor risk assessment, patch management and enterprise monitoring is essential.
- Legacy and Overlooked Systems
The Sydney breach involving a development repository illustrates that even non-mission critical systems can harbour sensitive data and become high-impact breach vectors if not governed by strong access control and data hygiene practices.
- Scale and Speed
Incidents impacting millions of records demonstrate the scale at which attackers can operate. Swift detection, containment, and transparent communication with affected individuals are now critical components of institutional response strategies.
Sources
University of Pennsylvania & University of Phoenix Oracle EBS Breaches:
• https://www.securityweek.com/penn-and-phoenix-universities-disclose-data-breach-after-oracle-hack/
• https://www.nytimes.com/2025/11/04/us/penn-data-breach-donors-students.html
University of Sydney Data Breach:
• https://www.sydney.edu.au/news-opinion/news/2025/12/18/notification-of-cyber-and-data-breach.html
• https://www.9news.com.au/national/university-of-sydney-major-australian-university-targeted-in-cyber-attack/59183b2b-7dca-4325-af1f-f5e4f35936c8
Oracle EBS Exploitation Broader Context:
• various industry sources reporting on Cl0p Oracle EBS exploitation campaign.