NetSuite Vendor Cyber Rating & Cyber Score

Description: Oracle Issues Urgent Alert for Critical RCE Flaw in Identity and Web Services Manager Oracle has released an urgent security alert for a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows unauthenticated attackers to remotely compromise systems by sending specially crafted network packets, enabling arbitrary code execution on vulnerable servers. Exploitation of this vulnerability could grant threat actors deep system access, allowing them to deploy malware, steal sensitive corporate identity data, or move laterally within an enterprise network. The flaw is rated under CVSS 3.1, though Oracle has withheld technical exploit details to prevent immediate weaponization. The vulnerability impacts Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0 for both affected products. Oracle has released patches under KB878741, but only for versions covered by Premier Support or Extended Support. Organizations running end-of-life software must upgrade to supported releases before applying fixes. Given the severity of the flaw and the risk of exploitation by advanced persistent threats, Oracle emphasizes the need for immediate patch deployment to secure identity management infrastructure. The vulnerability operates over standard network protocols, leaving even HTTPS-secured systems exposed until updates are applied.

Description: Oracle E-Business Suite Hack Leaves Four Major Companies Silent on Impact A recent cyberattack targeting Oracle E-Business Suite (EBS) has disrupted organizations reliant on the platform for critical business operations, including finance, supply chain, HR, and procurement. While many companies have responded with public disclosures and mitigation efforts, Broadcom, Bechtel, Estée Lauder, and Abbott Technologies have yet to issue any statements, raising concerns about transparency and crisis management. The breach exposes vulnerabilities in a widely used enterprise software suite, threatening the integrity of sensitive corporate and customer data. Security researchers and incident response teams are assessing the full scope of the compromise, with affected organizations working to determine exposure and prevent follow-on attacks. In contrast to the silent four, other companies have taken proactive steps, including acknowledging the breach, implementing security measures, collaborating with cybersecurity firms, and notifying stakeholders. This approach is considered best practice in handling enterprise-wide software vulnerabilities. The continued silence from Broadcom, Bechtel, Estée Lauder, and Abbott Technologies leaves stakeholders uninformed about potential risks, data protection efforts, and the companies’ cybersecurity commitments. The lack of disclosure may also invite regulatory scrutiny, particularly for publicly traded firms, while risking long-term reputational damage. As cybersecurity incidents grow in frequency and severity, transparent communication is increasingly seen as a corporate obligation both for stakeholder trust and legal compliance. The absence of updates from these four companies underscores a critical gap in modern incident response policies.

Description: Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response A threat actor operating under the handle *"igotafeeling"* on the *DarkWeb Informer* forum has claimed to have breached Loblaw, Canada’s largest food and pharmacy retailer, which owns brands like *President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore*, and the *PC Optimum* loyalty program. The actor alleges possession of over 1.8 billion records, including: - 75.1 million Salesforce customer records (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers) - 724.9 million Shoppers Drug Mart records (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates) - 129.9 million pharmacy fill requests (prescription numbers and patient IDs) - 120.4 million e-commerce fraud-feed records (payment card BINs, last-four digits, and expiry dates) - 20.2 million Delivery Ops Portal records (orders, deliveries, and postal codes) - 3,014 GitLab projects containing Loblaw’s full source code - 19.3 million Oracle identity records (MFA device details and credentials) - 55.3 million marketing and email records across 673 tables The threat actor has given Loblaw until March 19 to respond, accusing the company of *"ghosting"* them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity. In response, Loblaw issued a March 12 press release, labeling the incident a *"low-level data breach"* and stating that only *"basic customer information"* (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims. While the breach remains unverified, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., *T-Mobile, Equifax, Capital One*), where initial corporate statements downplayed impact before later revelations proved otherwise. Loblaw customers with *PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories* may be affected if the claims hold true. The deadline for Loblaw’s response is six days away.

Description: DHS and ICE Contractor Data Breach Exposes Thousands of Entities A recent cybersecurity breach targeting the U.S. Department of Homeland Security’s (DHS) Office of Industry Partnership has exposed sensitive contract details involving over 6,600 organizations. The incident, first reported by the non-profit *Distributed Denial of Secrets*, was publicly disclosed by a hacking collective identifying itself as the *Department of Peace*. The leaked data includes comprehensive records of companies, government agencies, and universities that applied for or secured contracts with DHS and Immigration and Customs Enforcement (ICE). Among the affected entities are major firms such as Anduril, HBGary, L3Harris, Microsoft, Oracle, Palantir, and Raytheon, as well as federal agencies like the FBI and NASA. The compromised information spans: - Company names, URLs, and employee details (names, titles, contact information) - Business and personal addresses - Tax ID numbers, including Employer Identification Numbers (EINs) and potential Social Security Numbers (SSNs) - Government contractor identifiers (UEI numbers, CAGE codes) - Internal DHS staff comments on data updates - A secondary list detailing awarded contracts and their purposes, some of which were not publicly accessible via the DHS’s official portal The *Department of Peace* claimed the breach was motivated by opposition to DHS and ICE’s immigration enforcement policies, citing detentions, injuries, and deaths linked to their operations. The group stated its intent was to expose corporate and institutional ties to these agencies, though it acknowledged that some affected entities such as universities and public safety organizations were not the primary targets of its criticism. The full scope of the breach remains unclear, as the hackers described the data as "likely incomplete." The incident underscores ongoing risks to government contractor confidentiality and the potential for politically motivated cyberattacks to disrupt federal operations.

Description: MSGE Data Breach Exposes Personal Information of Over 131,000 Individuals Madison Square Garden Entertainment (MSGE), the operator of high-profile sports and entertainment venues in New York City and Chicago, disclosed a cybersecurity incident on March 2, 2026, affecting the personal data of more than 131,000 individuals. The breach involved unauthorized access to MSGE’s network, potentially compromising sensitive personally identifiable information (PII), including names, addresses, and Social Security numbers. The law firm Lynch Carpenter, LLP, has launched an investigation into the incident, inviting affected individuals to review potential legal claims. The firm, known for its work in data privacy litigation, has represented millions of clients in similar cases over the past decade. MSGE has not yet released further details on the breach’s origin, timeline, or remediation efforts. The incident adds to a growing list of high-profile data exposures in the entertainment and hospitality sectors, raising concerns about the security of customer and employee records.

Description: ShinyHunters Claims Breach of Wynn Resorts, Leaks 800K Employee Records The ransomware group *ShinyHunters* has allegedly breached Wynn Resorts, claiming to have stolen over 800,000 employee records and demanding 23.34 Bitcoin (≈$1.55 million) to delete the data. The group set a deadline of February 23, 2026, for payment, warning that failure to comply would result in the data being leaked on the dark web. A sample of the stolen data, analyzed by *The Register*, includes full names, emails, phone numbers, job positions, salaries, start dates, birth dates, and other personal details enough to facilitate phishing attacks, credential theft, and financial fraud. According to a group member, the breach occurred in September 2025 via an Oracle PeopleSoft vulnerability, exploiting compromised employee credentials. Wynn Resorts has not yet responded to the claims or media inquiries. *ShinyHunters* has been highly active in recent months, targeting organizations through vishing scams and exploiting identity management systems like Okta. This incident follows high-profile attacks on Caesars Entertainment and MGM Resorts in September 2023, reinforcing concerns over cybersecurity vulnerabilities in the hospitality and gaming sectors.

Description: Hypertherm Discloses Data Breach Impacting U.S. Employees After Oracle EBS Exploit Hypertherm, an employee-owned manufacturer of industrial cutting systems based in Hanover, New Hampshire, has reported a data breach exposing personal information due to a vulnerability in Oracle’s E-Business Suite (EBS) software. The incident was discovered on February 10, 2026, after an unauthorized actor exploited an unknown flaw in Oracle EBS to steal database tables from the company’s systems in August 2025. The breach compromised names and Social Security numbers of affected individuals, though the total number of impacted U.S. residents remains undisclosed. Hypertherm began notifying victims via mail on March 13, 2026, filing reports with the Maine, New Hampshire, and Texas Attorneys General. To date, 334 Texas residents, 166 New Hampshire residents, and 31 Maine residents have been confirmed as affected. The ransomware group CL0P claimed responsibility for the attack, posting about the breach on the dark web’s Tor network on November 21, 2025, categorizing it as a ransomware incident. Hypertherm is offering one year of free identity monitoring through Kroll, including credit monitoring, fraud consultation, and identity theft restoration. Affected individuals can enroll using a membership number provided in their notification letters. The company has also set up a dedicated call center (844-403-4502) for inquiries. While Hypertherm has not released nationwide impact figures, the breach underscores the risks of unpatched software vulnerabilities in enterprise systems. The incident follows a pattern of CL0P’s exploitation of third-party software flaws to extract sensitive data.

Description: University of Pennsylvania Data Breach Impact Far Smaller Than Initially Claimed A high-profile data breach at the University of Pennsylvania (Penn), initially alleged by anonymous hackers to have exposed records of 1.2 million students, donors, and alumni, was confirmed to have affected fewer than 10 individuals, according to a recent legal filing in a proposed class-action lawsuit. The breach, which occurred on October 31, targeted systems linked to development and alumni activities. Hackers sent a provocative email purporting to be from Penn to students and alumni, falsely claiming the university had "terrible security practices" and urging donors to "stop giving us money." Penn swiftly dismissed the hackers’ claims, stating it could not verify the scale of the breach and had engaged cybersecurity specialists to investigate. In a statement, the university confirmed that a "comprehensive review" of the compromised files concluded that only a limited number of individuals had their personal data exposed. Notifications were sent to those affected, as required by law. Penn also announced plans to implement mandatory cybersecurity training and strengthen defenses against future attacks. The incident sparked 18 proposed class-action lawsuits in the U.S. Eastern District Court, with plaintiffs alleging Penn failed to protect sensitive data, enabling cybercriminals to exploit it. However, in December, a federal judge consolidated the cases into a single lawsuit. Since then, eight plaintiffs have withdrawn, after learning that none of those who sued were among the impacted individuals, according to a Monday court filing. Attorneys for the remaining plaintiffs acknowledged that the small scope of the breach could weaken the case if pursued independently. They proposed merging the litigation with an ongoing lawsuit in Western Texas District Court related to a separate, larger breach involving Oracle E-Business Suite, which affected over 100 companies. Penn has not disclosed the number of individuals impacted in that incident. Disagreements among attorneys over the case’s leadership and jurisdiction remain unresolved. A judge is expected to decide which legal team will lead the litigation and whether the case will proceed in Philadelphia or Texas.

Description: Oracle Discloses Critical Proxy Vulnerability in Fusion Middleware (CVE-2026-21962) Oracle has revealed a severe security flaw (CVE-2026-21962) in its Fusion Middleware suite, specifically affecting the Oracle HTTP Server and WebLogic Server Proxy Plug-in. The vulnerability, rated CVSS 10.0, enables unauthenticated remote attackers to exploit systems without user interaction, posing a major risk to enterprise environments. The flaw lies in how the WebLogic Server Proxy Plug-ins for Apache HTTP Server and Microsoft IIS process incoming requests. Due to its location in the proxy layer, attackers can bypass security controls entirely, gaining unauthorized access to sensitive data and the ability to create, delete, or modify system data. The vulnerability’s "Scope Change" (S:C) metric indicates that successful exploitation could extend beyond the plug-in, potentially compromising backend WebLogic Server environments. Affected Versions: - Oracle HTTP Server / Proxy Plug-in: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 - WebLogic Server Proxy Plug-in for IIS: 12.2.1.4.0 Oracle has released patches in its Critical Patch Update (CPU), with temporary mitigation recommending restricted network access to affected HTTP ports if immediate patching is not possible. The flaw’s low attack complexity and high impact make it a priority for organizations using these components.

Description: Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and U.S. Organizations Hit Hardest In 2025, global ransomware attacks reached 7,419 incidents, marking a 32% increase from the 5,631 recorded in 2024, according to a report by Comparitech. Of these, 1,173 attacks were confirmed by targeted organizations, while the remaining were claimed by ransomware groups via data leak sites. Collectively, the confirmed attacks breached 59.2 million records, though this figure is expected to rise as delayed reports emerge. ### Key Trends and Sector Impacts - Manufacturing saw the sharpest rise in attacks, surging 56% to 1,466 incidents, with average ransom demands more than doubling from $523,000 in 2024 to $1.2 million in 2025. - Legal firms experienced a 54% increase in attacks, alongside a 60% jump in ransom demands, averaging $610,000. - Healthcare and education saw stable attack volumes, with only 2% increases in incidents, suggesting a potential shift in attacker focus or improved defenses in these sectors. ### Geographic Breakdown The U.S. remained the most targeted country, accounting for 3,810 attacks (51% of the global total), a 33% increase from 2024. Other heavily affected nations included: - Canada: 392 attacks (31% increase) - Germany: 303 attacks (62% increase) - U.K.: 251 attacks (5% decrease) - France: 178 attacks (39% increase) - South Korea: 64 attacks (540% increase), driven largely by attacks on asset management firms following Qilin’s breach of a third-party provider. ### Ransomware Groups and Data Theft - Qilin was the most active group, responsible for 1,034 attacks (14% of the total), including 172 confirmed incidents. The group claimed to have stolen 31.2 petabytes of data, primarily from a single U.S. manufacturer. - Akira ranked second with 765 attacks, while SafePay was linked to the largest number of breached records (16.15 million), nearly all from its attack on Conduent. - DragonForce exposed 6.5 million records, mostly from its attack on the U.K.’s Co-operative Group, which resulted in £206 million ($276 million) in lost revenue. ### Notable Breaches in 2025 - Conduent (U.S.): 15.9 million records exposed in a SafePay attack, with 8.5 terabytes of data allegedly stolen. - Episource (U.S.): 5.4 million records compromised in an unidentified ransomware attack. - University of Phoenix (U.S.): 3.49 million records breached via a Clop attack exploiting an Oracle zero-day vulnerability. - DaVita (U.S.): 2.69 million records exposed in an Interlock attack, with 1.5 terabytes of data stolen. - Sanrio (Japan): 2 million records affected. - Asahi Group (Japan): 1.9 million records compromised. ### Sector-Specific Trends - Businesses bore the brunt of attacks (6,292 incidents, 35% increase), with 43 million records exposed in confirmed cases. Average ransom demands held steady at $1.09 million. - Government entities faced 374 attacks (27% increase), with 2.19 million records compromised. Ransom demands fell 15% to $1.55 million. - Healthcare saw 444 attacks (2% increase), with 10.1 million records exposed. Ransom demands plummeted 84% to $615,000. - Education recorded 252 attacks (2% increase), with 3.9 million records breached. Ransom demands dropped 34% to $457,200. The data underscores a strategic shift in ransomware targeting, with attackers prioritizing high-value commercial and public-sector entities while maintaining pressure on traditionally vulnerable sectors. Despite the surge in attacks, average ransom demands declined overall, dropping 26% to $1.04 million. However, select industries particularly manufacturing and legal services saw significant increases in both attack frequency and ransom demands.

Description: Higher Education Under Siege: A Wave of Cyberattacks Exposes Systemic Vulnerabilities In the first half of 2025, a surge of cyberattacks has targeted major U.S. universities, exposing critical weaknesses in higher education’s cybersecurity defenses. The University of Pennsylvania, Harvard University, and Princeton University all reported breaches within the past two months, following earlier incidents at Columbia University, Dartmouth College, and New York University. Each institution confirmed the attacks stemmed from social engineering, with Harvard and Princeton specifically citing phone-based phishing as the entry point. Officials at the affected schools stated they acted swiftly to contain the breaches and are reinforcing security measures. However, experts warn that universities face an uphill battle. Mike Corn, a former chief information security officer in higher education and current consultant at Vantage Technology, noted that colleges operate like "small cities," with decentralized networks, personal devices, and diverse user behaviors creating countless vulnerabilities. Even robust investments in cybersecurity, he argued, cannot guarantee immunity from attacks especially as AI-driven threats grow more sophisticated. The challenges extend beyond technology. Brian Nichols, CIO at the University of Kentucky, highlighted that while phishing simulations and training have improved awareness, they are not foolproof. Anita Nikolich, director of research and technology innovation at the University of Illinois at Urbana-Champaign, warned that punitive security measures can backfire, alienating faculty who may resist protocols perceived as restrictive. A core tension lies in academic freedom versus centralized IT control: many universities allow individual departments such as medical or business schools to maintain separate IT teams, increasing risk. Nikolich, who previously led IT infrastructure at the University of Chicago, described this fragmentation as a "huge risk factor," as decentralized systems complicate consistent security enforcement. Faculty resistance further complicates the issue. Janice Lanham, a nursing lecturer at Clemson University, nearly fell victim to a phishing scam but caught the deception in time. Yet, as Brian Voss, Clemson’s CIO, observed, some professors view security protocols as obstacles to research and teaching. Voss described a "culture of subservience" in higher-ed IT, where departments prioritize faculty demands over security, often retaining excessive data including sensitive information like Social Security numbers despite the risks. His efforts to reduce data storage have met resistance, with one university even retaining personal data for voter registration purposes, creating what he called "piles of gold for bad guys." The conflict between research needs and security is particularly acute. Nikolich, who also conducts quantum computing research, faced initial pushback when requesting network data for her work. After demonstrating the data’s non-sensitive nature and potential security benefits, she gained access but noted that other universities default to blanket denials. When researchers are blocked, she warned, they often bypass official channels, increasing exposure. The solution, Nikolich suggested, lies in collaboration: IT, security teams, and faculty must treat cybersecurity as a shared priority, balancing innovation with protection. Until then, universities remain prime targets caught between the demands of open academic environments and the escalating sophistication of cyber threats.

Description: Michelin Confirms Data Breach in Cl0p’s Oracle EBS Cyberattack Campaign Tire manufacturer Michelin has confirmed a data breach linked to the ongoing cybercrime campaign targeting organizations using Oracle’s E-Business Suite (EBS). The Cl0p ransomware and extortion group, believed to be operated by the FIN11 threat actor cluster, exploited zero-day vulnerabilities in Oracle EBS to access sensitive data from over 100 organizations, including Michelin. Michelin acknowledged the incident, stating that while its systems were protected by robust security measures, attackers leveraged an Oracle EBS zero-day flaw to infiltrate its network. The company reported that only a "small, localized volume of data" was compromised, with no sensitive or technical IT information affected. No ransomware was deployed, and global operations remained unaffected. Despite Michelin’s assurance that the breach was contained, Cl0p published over 315GB of allegedly stolen files on its leak site. Metadata analysis suggests the data originated from an Oracle EBS environment. Michelin emphasized its swift response, confirming that corrective actions were taken and the vulnerability has since been patched. This attack follows similar breaches at Madison Square Garden, auto parts supplier LKQ, the University of Phoenix, and Korean Air, all tied to the same Oracle EBS campaign. The incidents highlight the growing threat posed by sophisticated extortion groups exploiting enterprise software vulnerabilities.

Description: 2025: A Year of Rising Costs and Escalating Cyber Threats for UK Businesses As 2025 draws to a close, UK businesses and charities have faced a surge in financial pressures from soaring employment costs and supply chain disruptions to oil and tariff shocks. Yet, one of the most damaging expenses has been the fallout from cyberattacks, which have hit nearly half of British companies and 30% of charities over the past year. High-profile victims include retail giants Marks & Spencer, Adidas, and the Co-op Group, as well as Heathrow Airport, Harrods, and Jaguar Land Rover (JLR). The public sector hasn’t been spared either: Germany’s parliament and the UK Foreign Office (breached in October) were among those targeted. Attacks ranged from phishing scams to full-scale digital shutdowns, with some incidents costing hundreds of millions. The scale of cybercrime has reached staggering proportions. Cybersecurity Ventures estimates the global cost of cyberattacks in 2025 at $10.5 trillion (£7.8 trillion) a figure that would rank cybercrime as the world’s third-largest economy, trailing only the US and China. The financial and operational toll underscores the growing threat to organizations across sectors.

Description: TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December. The group’s campaign primarily targets Azure (60% of attacks), AWS (37%), and Google and Oracle cloud environments, exploiting well-documented vulnerabilities and misconfigurations rather than developing new attack methods. TeamPCP’s operations involve scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards, and systems with leaked secrets (such as `.env` files). Once inside, the group deploys malicious Python and Shell scripts to install proxies, tunneling software, and persistence mechanisms, effectively converting compromised infrastructure into a self-propagating botnet. A key tool in their arsenal is the React2Shell vulnerability (CVE-2025-29927), which allows remote command execution and data exfiltration. The group monetizes its attacks through multiple revenue streams, including: - Cryptocurrency mining using hijacked compute resources. - Data theft and extortion, with stolen records including personal IDs, employment records, and résumés published on a leak site operated by an affiliate, ShellForce. - Selling access to compromised systems for use as proxies or command-and-control infrastructure. - Ransomware deployment, leveraging infected systems as launchpads for further attacks. Notably, TeamPCP has targeted JobsGO, a Vietnamese recruitment platform, exfiltrating over two million records containing sensitive personal and professional data. Most victims are located in South Korea, Canada, the U.S., Serbia, and the UAE, with stolen information often used for phishing, impersonation, or account takeovers. Despite its sophistication, TeamPCP’s techniques are not novel the group relies on automated exploitation of known vulnerabilities and recycled tooling. Security firm Flare warns that the threat actor’s strength lies in its large-scale automation, turning exposed cloud infrastructure into a distributed criminal ecosystem. The group also maintains a Telegram channel (launched in November, with ~700 members) for updates and reputation-building, though researchers suggest it may have operated under previous aliases. The campaign underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, as TeamPCP continues to industrialize existing attack vectors with alarming efficiency.

Description: Record-Breaking DDoS Attack by Aisuru/Kimwolf Botnet Peaks at 31.4 Tbps On December 19, Cloudflare mitigated a historic distributed denial-of-service (DDoS) attack launched by the Aisuru (also known as Kimwolf) botnet, reaching an unprecedented 31.4 Tbps and 200 million requests per second (rps). The campaign, dubbed *"The Night Before Christmas,"* targeted telecommunications providers, IT organizations, and Cloudflare’s own infrastructure with hyper-volumetric HTTP and Layer 4 DDoS attacks. This attack surpassed Aisuru’s previous record of 29.7 Tbps, set earlier, and another Microsoft-attributed assault peaking at 15.72 Tbps from 500,000 IP addresses. Over 90% of the attacks in the campaign peaked between 1-5 Tbps, with most lasting 1-2 minutes. Despite their scale, Cloudflare’s automated systems detected and mitigated them without triggering internal alerts. The botnet’s power stems from compromised IoT devices and routers, though the December attacks primarily originated from Android TVs. Cloudflare’s 2025 Q4 DDoS Threat Report revealed a 121% year-over-year increase in DDoS attacks, with 47.1 million incidents recorded in 2025 averaging 5,376 attacks per hour. Network-layer attacks dominated (73%), while HTTP-based assaults made up the remainder. The most targeted industries included telecommunications, IT services, gambling, and gaming, with China, Hong Kong, Germany, Brazil, and the U.S. bearing the brunt of attacks. Bangladesh was the largest source of attacks, followed by Ecuador, Indonesia, and Argentina, while Russia dropped to 10th place. The report also noted a 600% increase in network-layer attacks exceeding 100 million packets per second (Mpps) and a 65% quarter-over-quarter rise in attacks over 1 Tbps. Over 71.5% of HTTP DDoS attacks were linked to known botnets.

Description: MSG Entertainment Investigates Data Breach Impacting Customer Personal Information New York-based Madison Square Garden Entertainment Corp. (MSG Entertainment) is under investigation following a data breach discovered on December 16, 2025, that exposed sensitive customer information. The incident stemmed from a vulnerability in the Oracle eBusiness Suite, hosted by a third-party vendor, which was exploited by hackers as early as August 2025. The breach potentially compromised names, addresses, and Social Security numbers of affected individuals. MSG Entertainment has since begun notifying impacted customers via mail. Edelson Lechtzin LLP, a national class action law firm, is leading an investigation into potential legal claims on behalf of those whose data was exposed. The firm specializes in data privacy litigation and is evaluating remedies for affected parties. MSG Entertainment operates high-profile venues, including Madison Square Garden, Radio City Music Hall, the Beacon Theatre, and the Chicago Theatre. The full scope of the breach and the number of individuals affected remain under review.

Description: University of Phoenix Hit by Massive Data Breach Affecting Millions In November 2025, the University of Phoenix disclosed a significant data breach impacting over 3.4 million current and former students and staff. The breach, attributed to the CL0P ransomware group, exploited a vulnerability in the university’s Oracle E-Business Suite software between August 13 and August 22, 2025, leading to the exfiltration of sensitive personal data. Exposed information included names, dates of birth, Social Security numbers, and financial details such as bank account and routing numbers. The university reported the incident to the California and Maine Attorney Generals’ offices on December 21, 2025, and began notifying affected individuals the following day. Among those impacted were 9,131 Maine residents. The breach has prompted legal action, with Shamis & Gentile P.A., a class-action law firm specializing in data breach cases, investigating potential compensation for victims. The university has offered free IDX identity theft protection services to those affected. The University of Phoenix, a private for-profit institution based in Phoenix, Arizona, serves working adults through online degree programs in fields like business, healthcare, and information systems. The incident underscores the growing threat of ransomware attacks targeting educational institutions.

Description: Clop Ransomware Gang Steals Data of 3.5 Million from University of Phoenix The Clop ransomware gang has stolen the personal and financial data of nearly 3.5 million individuals including current and former students, staff, and suppliers after breaching the University of Phoenix (UoPX) network in August 2025. The attack was part of a broader extortion campaign exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), a financial application used by the university. UoPX, a private for-profit institution based in Phoenix, Arizona, detected the breach on November 21 after Clop listed the university on its data leak site. The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account information. In early December, the university publicly disclosed the incident and filed an 8-K report with the U.S. Securities and Exchange Commission (SEC). On Monday, UoPX confirmed in notification letters filed with Maine’s Attorney General that 3,489,274 individuals were affected. The university is offering free identity protection services, including credit monitoring, dark web surveillance, and a $1 million fraud reimbursement policy. While UoPX has not officially attributed the attack, the tactics align with Clop’s recent campaign targeting Oracle EBS vulnerabilities. Other U.S. universities, including Harvard and the University of Pennsylvania, have also reported similar breaches linked to the same exploit. Clop has a history of high-profile data theft operations, previously targeting GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and Gladinet CentreStack. The U.S. Department of State has offered a $10 million reward for information connecting the gang’s activities to a foreign government. In a separate wave of attacks since late October, multiple universities including Harvard, Princeton, and the University of Pennsylvania have also fallen victim to voice phishing (vishing) attacks, compromising systems tied to development and alumni activities.

Description: The NHS is investigating a cyberattack claimed by the extortion group Clop, which listed the NHS.uk domain on its leak site on November 11 without publishing any stolen data. The attack reportedly exploits a vulnerability in Oracle E-Business Suite (EBS), a system widely used across the NHS for managing sensitive patient data. While Clop did not specify which NHS branch was compromised, the potential exposure of patient records given the NHS’s role as Europe’s largest employer and a critical healthcare provider poses severe risks. The NHS, which refuses to pay ransoms, is collaborating with the National Cyber Security Centre (NCSC) to assess the breach. Historical attacks on the NHS have disrupted life-saving services, and this incident could similarly threaten patient safety if systems are compromised. The UK’s proposed ban on ransom payments for public sector organizations further complicates recovery efforts, leaving the NHS vulnerable to prolonged operational and reputational damage.

Description: US tech company F5 confirmed a data breach in which nation-state attackers stole the source code and vulnerability information related to its BIG-IP family of networking and security products. BIG-IP is a critical infrastructure component used by enterprises for traffic management, load balancing, and security, making this breach particularly severe. The stolen data could enable adversaries to identify and exploit undiscovered flaws in BIG-IP systems, potentially leading to supply-chain attacks, unauthorized network access, or large-scale disruptions in organizations relying on F5’s solutions. The breach underscores the escalating risks of state-sponsored cyber espionage targeting foundational IT infrastructure, with implications for global cybersecurity resilience. F5 has not disclosed whether customer data was compromised, but the theft of proprietary code and vulnerability details poses a long-term threat to its product ecosystem and the broader digital supply chain.

Description: Wits University Hit by Zero-Day Cyberattack, Oracle Investigating Potential Data Breach Wits University in South Africa has confirmed a cyberattack targeting its IT systems, classified as a zero-day exploit a breach leveraging an unknown vulnerability with no available patch at the time of the incident. The attack, which has affected organizations across multiple countries, prompted the university to collaborate with Oracle and cybersecurity experts to assess whether any data was compromised. While the full scope of the breach remains under investigation, Wits University has reported that some IT systems were compromised, though operations continue as normal. The institution has formally notified South Africa’s Information Regulator, adhering to data protection protocols. The incident underscores the growing threat of zero-day vulnerabilities, which leave organizations exposed until patches are developed. Further details on the attack’s impact and affected data are expected as the investigation progresses.

Description: Parexel Reports Data Breach Impacting Sensitive Employee Information Parexel, a global clinical research organization, disclosed a data breach affecting sensitive personal information stored in its Oracle OCI E-Business Suite (Oracle EBS) environment. On October 4, 2025, the company detected suspicious activity within the system, prompting an investigation. The breach, confirmed through forensic analysis, revealed that an unauthorized third party accessed employee-related data. Exposed information may include names, Social Security numbers, dates of birth, financial account numbers, payment card details (excluding CVVs), and national ID numbers, though the exact data varies by individual. On December 17, 2025, Parexel began notifying affected individuals via mail, detailing the compromised information and offering 24 months of complimentary credit monitoring services. The breach notice was filed with the Attorney General of Massachusetts, where impacted residents were among the first to be informed. The full scope of affected individuals and additional details remain under review.

Description: A large-scale phishing campaign targeted Oracle Hospitality through malicious search engine advertisements (malvertising), impersonating its services to deceive users. Victims were redirected to typosquatted domains mimicking legitimate login pages, harvesting credentials, email addresses, phone numbers, and passwords. The attackers bypassed multi-factor authentication (MFA) by capturing real-time one-time passwords (OTP) via SMS or email codes, gaining unauthorized access to cloud-based property management systems.The breach exposed sensitive guest data, including personal information and payment details, stored in these platforms. Technical analysis revealed Russian-speaking threat actors behind the operation, using sophisticated beaconing techniques to track victims’ geolocation, session duration, and engagement. The campaign posed significant risks to Oracle Hospitality’s operational integrity, customer trust, and financial security, with potential downstream impacts on booking systems and guest privacy.Security researchers highlighted the need for phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn) and adaptive risk assessments to mitigate future threats. The incident underscores the growing sophistication of industry-specific cyberattacks targeting hospitality providers.

Description: Maritz Holdings Inc. Suffers Data Breach via Oracle E-Business Suite Vulnerability Maritz Holdings Inc., a Missouri-based management consulting firm with $1.4 billion in revenue and 4,250 employees, disclosed a data breach stemming from an exploited vulnerability in Oracle E-Business Suite (EBS). The incident occurred between August 10–13, 2025, before Oracle publicly acknowledged the flaw. The CL0P ransomware group claimed responsibility for the attack, posting details on the dark web. Maritz detected the breach on November 13, 2025, after launching an investigation with cybersecurity experts and notifying law enforcement. The probe confirmed that unauthorized access led to the exposure of sensitive data, including names, Social Security numbers, and financial account information. Affected individuals including current and former Maritz employees and clients were notified in writing on February 27, 2026. While the total number of impacted U.S. victims remains undisclosed, state-specific figures include four in Maine, 85 in Massachusetts, and three in New Hampshire. The breach highlights risks tied to third-party software vulnerabilities, particularly in widely used enterprise systems like Oracle EBS. Legal investigations are underway for potential compensation claims.

Description: SUNY Research Foundation Hit by Zero-Day Data Breach, Exposing Employee Personal Data The SUNY Research Foundation, based in Albany, New York, disclosed a data breach involving a zero-day vulnerability in Oracle’s eBusiness Suite. The attack occurred between August 9 and 11, with cybercriminals accessing personnel files containing sensitive employee information, including Social Security numbers. Oracle identified the flaw and released an urgent patch, but the breach went undetected until early October, when the company notified the foundation on October 10. Despite discovering the breach in October, the foundation only determined which files were accessed on November 26 nearly three months after the initial incident. Affected employees were notified last week, more than 60 days after the files were identified, exceeding New York’s 30-day notification requirement for data breaches. A foundation spokesperson acknowledged the delay, citing the complexity of forensic analysis needed to assess the scope of the breach. The foundation confirmed that no research data was compromised, and the attack was limited to personnel documents. The incident follows a pattern of similar breaches affecting thousands of organizations worldwide using the same Oracle software. The full extent of the exposure and potential misuse of the stolen data remains unclear.

Description: Cox Enterprises, a U.S.-based conglomerate with operations in telecommunications, media, and automotive services (e.g., Cox Communications, Autotrader), suffered a sophisticated data breach via a zero-day exploit (CVE-2025-61882) in Oracle’s E-Business Suite. Hackers, linked to the Cl0p ransomware group, infiltrated the network between August 9–14, 2025, exfiltrating 1.6TB of data including sensitive personal information of 9,479 individuals (names, addresses, dates of birth, Social Security numbers, and internal documents). The breach was detected in late September 2025, with Cl0p leaking the data on the dark web. The attack exploited an unpatched critical vulnerability (CVSS 9.8) allowing unauthorized database access, heightening risks of identity theft, financial fraud, and reputational damage. Oracle released an emergency patch post-breach, but the delay enabled widespread exploitation across other high-profile targets (e.g., The Washington Post, Harvard University). Cox offered affected parties credit monitoring, though long-term risks persist. The incident underscores vulnerabilities in ERP systems, supply chain security gaps, and the escalating threat of ransomware-as-a-service (RaaS) campaigns targeting enterprise software.

Description: Hypertherm, Inc. Data Breach Exposes Sensitive Data in 2025 Oracle EBS Hack Hypertherm, Inc., a manufacturer of industrial cutting products for sectors including shipbuilding, automotive repair, and manufacturing, confirmed a data breach affecting its Oracle E-Business Suite (EBS) systems. The incident, discovered on February 12, 2026, stemmed from an unauthorized intrusion in August 2025, during which an attacker exfiltrated database tables containing sensitive information. Hypertherm launched an investigation with third-party cybersecurity experts and began notifying affected individuals on March 13, 2026. The breach has since drawn legal scrutiny, with Edelson Lechtzin LLP, a national class action law firm, announcing an investigation into potential claims on behalf of impacted parties. The firm is evaluating legal remedies for those whose personal data may have been compromised. Hypertherm’s Oracle EBS software is used to manage critical operations, suggesting the breach could have exposed corporate or customer data. Further details on the scope of the exposed information remain undisclosed. The incident highlights ongoing risks associated with enterprise software vulnerabilities and delayed breach detection.

Description: The Clop ransomware gang exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), specifically within the BI Publisher Integration component, to conduct data theft attacks since at least August 2025. The flaw allowed unauthenticated remote code execution (RCE) via a single HTTP request, enabling attackers to steal sensitive corporate documents from unpatched systems. Oracle patched the vulnerability in early October 2025, but not before Clop launched an extortion campaign, emailing executives at multiple victim organizations to demand ransoms in exchange for not leaking the stolen data.The attack leveraged a vulnerability chain exposed by leaked proof-of-concept (PoC) exploits from the Scattered Lapsus$ Hunters group, increasing the risk of further exploitation by other threat actors. Clop’s campaign mirrors past high-profile breaches, including MOVEit Transfer (2,770+ organizations affected), Accellion FTA, and GoAnywhere MFT, reinforcing its reputation for large-scale data theft via zero-days. Oracle urged immediate patching, warning that internet-exposed EBS applications remain prime targets. The U.S. State Department has even offered a $10 million reward for intelligence linking Clop to foreign state sponsorship, underscoring the attack’s severity.

Description: Anywhere Real Estate Hit by Clop Ransomware Attack, Exposing 17,429 Customers In August, Anywhere Real Estate disclosed a data breach affecting 17,429 customers, following an attack by the Clop ransomware gang. The cybercriminals infiltrated the company’s Oracle E-Business Suite environment, accessing and potentially exfiltrating sensitive customer data. A breach notification filed with the Maine Attorney General’s Office confirmed the incident, though details on the exact nature of the compromised information remain limited. Clop, a well-known ransomware and extortion group, has been linked to multiple high-profile attacks, often targeting vulnerabilities in enterprise software. The breach at Anywhere Real Estate parent company of brands like Coldwell Banker, Century 21, and Sotheby’s International Realty highlights the growing threat to real estate and mortgage sectors, where vast amounts of personal and financial data are stored. The company has since notified impacted individuals, but the full scope of the breach’s consequences including potential identity theft or fraud remains unclear. This incident follows a broader trend of cyberattacks on real estate firms, underscoring the industry’s vulnerability to sophisticated ransomware operations.

Description: In August 2025, hackers breached Salesloft’s SaaS platform by stealing OAuth access tokens linked to its Drift chatbot integration with Salesforce. The attackers exploited these tokens functioning as trusted non-human identities to impersonate the integration and gain unauthorized access to Salesforce CRM data across hundreds of organizations. Over a 10-day campaign, they exfiltrated sensitive records, including stored credentials like AWS keys and Snowflake tokens from support case attachments. The breach highlighted the risks of unmonitored machine identities with excessive privileges, enabling large-scale data theft without traditional human account compromises.

Description: The Clop ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite, a critical enterprise software used for managing customer data, HR files, and corporate operations. The attack, active since at least July 10, allowed hackers to steal significant amounts of sensitive data, including personal information of corporate executives and employees, as well as customer data from affected organizations. Oracle initially claimed the vulnerabilities were patched, but later confirmed the zero-day flaw enabled remote exploitation without authentication, meaning attackers could breach systems without credentials.Google’s security researchers revealed that dozens of organizations were compromised, with the Clop gang using the stolen data for extortion campaigns. The group has a history of mass-hacking via unpatched vulnerabilities in file transfer tools (e.g., MOVEit, GoAnywhere), amplifying risks of large-scale data leaks. Oracle’s delayed acknowledgment and the ongoing exploitation of the flaw suggest prolonged exposure, increasing potential damage to financial records, executive identities, and corporate intellectual property.

Description: Oracle issued an emergency security update to patch a critical information disclosure vulnerability (CVE-2025-61884, CVSS 7.5) in its E-Business Suite (EBS) Runtime UI component (versions 12.2.3–12.2.14). The flaw allows unauthenticated remote attackers to exploit it over a network without credentials, granting access to sensitive corporate resources, including financial, employee, or customer data. The vulnerability was part of a broader extortion campaign linked to the Cl0p ransomware group (FIN11), which exploited a separate zero-day (CVE-2025-61882, CVSS 9.8) to steal data and send extortion emails to executives. While Oracle did not confirm active exploitation of CVE-2025-61884, the urgent patch suggests high risk. Attackers leveraged hacked email accounts and default password resets to gain credentials, potentially exposing confidential business data, intellectual property, or operational secrets. The incident highlights risks of supply-chain attacks and data breaches in enterprise software, with possible financial fraud, reputational damage, or regulatory penalties if exploited.

Description: Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of Cl0p’s ransomware attack exploiting a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884). The cybercriminal group exfiltrated sensitive corporate and customer data, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking financial records, proprietary business data, and third-party customer information. Cl0p’s extortion tactics included warnings of public disclosure on their blog, torrent leaks, or sales to malicious actors, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed supply chain cascading risks, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage including data theft, potential regulatory fines, and erosion of stakeholder trust had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing long-term financial and strategic repercussions if the stolen data is weaponized.

Description: Oracle released an emergency patch for CVE-2025-61882 (CVSS 9.8), a critical zero-day vulnerability in its E-Business Suite, actively exploited by the Cl0p ransomware group and potentially the Scattered LAPSUS$ Hunters. The flaw allows unauthenticated remote attackers to execute arbitrary code via HTTP, compromising the Oracle Concurrent Processing component. Cl0p leveraged this in a high-volume phishing campaign, stealing large volumes of sensitive data from multiple victims in August 2025. Indicators of compromise (IoCs) include malicious IP addresses (e.g., 200.107.207[.]26, 185.181.60[.]11), reverse shell payloads, and exploit scripts (e.g., *oracle_ebs_nday_exploit_poc_...*). Mandiant warned of mass exploitation, urging organizations to investigate potential breaches even after patching, as attackers may have already exfiltrated data. The incident highlights the risk of supply-chain attacks via unpatched enterprise software, with Cl0p’s campaign targeting financial, HR, and operational data potentially disrupting business continuity and exposing customers/employees to fraud or regulatory penalties.

Description: Oracle faced two data security incidents with reported poor incident communication. An attacker allegedly accessed login servers and legacy Cerner data, leading to customers' personal information being at risk. Missteps in Oracle's response include outright denial, potentially misleading statements, and accusations of deleting evidence online, compounding the damage to their reputation.

Description: Oracle Health, the healthcare subsidiary of Oracle Corporation, experienced a data breach involving legacy Cerner data migration servers. This incident, which Oracle has communicated to its customers through private letters, is reported to have potentially exposed sensitive customer data. The breach is a consequence of Oracle's acquisition of Cerner Corp, a notable electronic health records business, as Oracle aimed to transition the healthcare software to cloud infrastructure. The significance of the data involved and the potential ramifications of such breaches in the healthcare sector underline the serious nature of this cybersecurity event.

Description: Oracle recently faced allegations of a data breach, with a threat actor claiming to have stolen 6 million records from Oracle Cloud's SSO login servers. Oracle has denied any breach, stating there was no compromise of their cloud services and customers' data remained secure. The threat actor, rose87168, attempted to sell the data and claimed the information includes SSO passwords, Java Keystore files, key files, and JPS keys from Oracle Cloud servers. Despite encrypted and hashed passwords requiring decryption or cracking, the impact of such a breach if proven accurate could potentially be significant, undermining trust in Oracle's cloud security and potentially impacting customers whose data was compromised.

Description: A breach at Oracle Health has resulted in the theft of patient data from legacy servers impacting multiple US healthcare organizations and hospitals. Unauthorized access by a threat actor after January 22, 2025, led to the exfiltration of Electronic Health Records (EHR) data with potential violations of HIPAA laws. There is uncertainty whether ransomware was involved, but Oracle Health's response has been criticized for lack of transparency and failure to provide proper guidance and documentation, leaving hospitals to navigate the aftermath themselves.

Description: Ransomware in 2025: A Systemic Threat Disrupting Global Supply Chains and Critical Services In 2025, ransomware evolved from isolated IT disruptions into a systemic risk, threatening national supply chains, essential services, and entire industries. Cybersecurity Ventures projects the global cost of ransomware will surge to $275 billion annually by 2031, driven by downtime, data loss, recovery efforts, and lost productivity not just ransom payments. A recent SOCRadar analysis highlighted the top 10 ransomware attacks of 2025, each exposing vulnerabilities across sectors: 1. Salesforce Ecosystem – A SaaS supply chain blind spot exploited for widespread disruption. 2. Oracle E-Business Suite – A zero-day attack leveraging supply chain extortion. 3. Jaguar Land Rover – Britain’s costliest cyberattack, crippling automotive operations. 4. Ingram Micro – A ransomware strike paralyzing global IT distribution. 5. Co-operative Group – A sustained siege on the UK retail sector. 6. PowerSchool – Large-scale extortion targeting the education sector. 7. Synnovis – Healthcare disruption with confirmed patient harm. 8. DaVita – Ransomware striking critical healthcare infrastructure. 9. Asahi Group – Manufacturing halts exposing IT-OT convergence risks. 10. Collins Aerospace – Ransomware grounding European airports. Key patterns emerged across these incidents: - Initial access frequently relied on stolen credentials or social engineering rather than sophisticated exploits. - Supply chain vulnerabilities amplified impact, turning single breaches into cascading failures. - Data theft and operational paralysis often outweighed encryption as the primary damage driver. - Delayed consequences such as regulatory penalties or confirmed human harm surfaced months after the attacks. The incidents underscore ransomware’s growing role as a strategic threat, with far-reaching consequences beyond financial losses.

Description: Oracle has patched a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite, actively exploited by the Clop hacking group to steal personal information of corporate executives and extort victims. The flaw allows remote exploitation without credentials, enabling mass data theft from thousands of organizations using the suite for customer data and employee HR files. Initially, Oracle downplayed the threat, linking extortion emails to older patched vulnerabilities from July. However, the newly discovered zero-day confirms ongoing exploitation since at least August 2024, with Clop demanding ransom to prevent leaking stolen data. Google’s Mandiant reported widespread attacks, though not all victims have been contacted yet. The breach poses severe risks to executive privacy, corporate reputation, and operational security, with potential cascading effects on Oracle’s enterprise clients globally.

Description: A new extortion campaign targeted executives across multiple companies using Oracle E-Business Suite, with threat actors (potentially the Clop ransomware gang/FIN11) sending emails claiming theft of sensitive data. The campaign, active since at least September 29, 2025, leveraged hundreds of compromised email accounts, some linked to prior FIN11 activity. While the emails included contact details tied to Clop’s data leak site, Mandiant and Google Cloud have not yet confirmed actual data theft. The attack exploits potential vulnerabilities in Oracle’s platform, though no zero-day confirmation exists. Organizations were urged to investigate unusual access in their Oracle environments. Clop, known for ransomware deployment and data extortion, has historically exploited file transfer flaws (e.g., Cleo zero-days in 2024) to steal corporate data. The U.S. State Department offers a $10M reward for ties between Clop and foreign governments. The incident remains under investigation, with risks including financial extortion, reputational damage, and potential data leaks if claims are substantiated.

Description: Hackers linked to the Russian ransomware gang Clop (FIN11) are exploiting vulnerabilities in Oracle E-Business Suite, a critical enterprise platform managing finance, HR, and supply chain data. The threat actors claim to have stolen sensitive corporate information and are conducting a high-volume extortion campaign, targeting executives across multiple organizations via compromised email accounts. While the exact scope of the breach remains unconfirmed, the group has historically leveraged stolen data for ransom demands rather than system disruption. Oracle previously disclosed a January 2024 incident where hackers accessed legacy systems and stole client credentials, raising concerns about credential reuse and exposure. The current campaign, launched on September 29, 2024, mirrors Clop’s past tactics such as the MOVEit attacks which impacted 2,773 organizations and exposed 96 million records. The group has demanded ransoms under the threat of leaking stolen data, using email addresses tied to Clop’s official leak site. Mandiant and Google Threat Intelligence Group (GTIG) are investigating but have not yet verified the full extent of the breach or the legitimacy of the stolen data claims.

Description: The Clop ransomware gang (Graceful Spider) breached Oracle Corporation by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an unauthenticated remote code execution (RCE) flaw with a CVSS score of 9.8. The attack bypassed authentication via the SyncServlet endpoint and injected malicious XSLT templates through RF.jsp, granting full control over enterprise systems. Oracle’s internal data and customer information were exposed, with Clop listing the company on its dark web leak site under a 'PAGE CREATED' status. The breach aligns with Clop’s broader campaign targeting high-profile victims (e.g., Mazda, Humana, Washington Post) via extortion emails threatening public data leaks unless ransoms are paid. The attack leveraged reused infrastructure from prior exploits (e.g., 2023 MOVEit vulnerability), with 96 distinct IPs tied to Russian-linked service providers. The incident underscores the severe risk posed by unpatched EBS instances, which manage critical functions like procurement, logistics, and financial records globally.

Description: The cyberattack on Oracle Cloud orchestrated by 'rose87168' led to the theft of 6 million records potentially affecting over 140,000 tenants. Exfiltrated data includes sensitive JKS files, encrypted SSO passwords, key files, and JPS keys. This information is now sold on dark web forums. The breach, exploiting CVE-2021-35587, poses risks of unauthorized access and corporate espionage given the type of data stolen. Oracle's compromised subdomain and vulnerable software version highlight security gaps and raise concerns of lateral movement within the cloud environment.

Description: Oracle Corporation endured a data breach affecting its Gen 1 servers, with no complete PII exposure but involving 6 million data records including usernames, email addresses, and hashed passwords. Sensitive credentials related to SSO and LDAP were also compromised. The breach, attributed to the threat actor 'rose87168' via a 2020 Java exploit, resulted in the theft of JKS files and Enterprise Manager JPS keys from legacy systems approximately 16 months old. Oracle has informed clients and taken steps to bolster Gen 1 server security while maintaining that its Gen 2 servers and primary Oracle Cloud infrastructure remain secure.

Description: The Clop ransomware gang (Graceful Spider) exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an enterprise resource planning system used for order management, procurement, and logistics. The unauthenticated remote code execution (RCE) flaw allowed attackers to bypass authentication via the OA_HTML/SyncServlet endpoint and inject malicious XSLT templates through OA_HTML/RF.jsp, granting full control over sensitive ERP data. Oracle was listed on Clop’s dark web leak site, suggesting internal corporate data potentially financial and employee records was compromised. The attack leveraged reused infrastructure from prior campaigns (e.g., 2023 MOVEit exploits), with extortion emails sent to victims demanding ransom to prevent data leaks. Over 1,025 victims and $500M+ in extorted funds since 2019 highlight Clop’s persistence. The breach poses severe risks to Oracle’s supply chain integrity, operational continuity, and reputation, with potential cascading effects on clients like Mazda, Humana, and the Washington Post, also listed as victims.

Description: A Russian cybercrime group breached 100 computer systems belonging to Oracle's retail division and MICROS point-of-sale credit card payment systems. It did not expose corporate networks and other cloud and service offerings that were not affected by the breach. Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems.

Description: On July 10, 2013, Fidelity Investments experienced a data breach reported by the California Office of the Attorney General on July 31, 2013. An unauthorized individual gained access to a report containing sensitive personal information of Oracle Corporation employees, including names and Social Security numbers. The breach exposed confidential employee data, though the exact number of affected individuals remains undisclosed. The incident highlights a significant security lapse, as the compromised data could facilitate identity theft, financial fraud, or targeted phishing attacks against the affected employees. While the breach did not directly impact Fidelity’s customers, the exposure of third-party (Oracle) employee records underscores vulnerabilities in data handling and access controls. The breach’s discovery and reporting delay (21 days) may have further exacerbated risks, as affected individuals were left uninformed during this period. Such breaches erode trust in financial institutions’ ability to safeguard sensitive information, potentially leading to reputational damage and regulatory scrutiny. The nature of the stolen data Social Security numbers makes it particularly high-risk, as this information is immutable and highly valuable to cybercriminals for long-term exploitation.