Tulane University has confirmed that 80,867 individuals were impacted by a data breach stemming from an August 2025 ransomware incident tied to the Clop ransomware group's mass exploitation of an Oracle E-Business Suite zero-day vulnerability. Notifications disclosed this week reveal that names, Social Security numbers, and direct deposit banking information were exfiltrated from the Louisiana-based institution's HR systems.
What Happened
Tulane University, a private research university in New Orleans, was added to Clop's data leak site in November 2025 following the group's claim of responsibility for exploiting a zero-day vulnerability in Oracle's E-Business Suite application. Tulane uses Oracle EBS for its human resources information systems, which housed the compromised data. According to the university's notification, it launched an investigation, notified law enforcement, and applied Oracle-provided patches once it became aware of the vulnerability. The incident is part of a broader Clop campaign that has so far added approximately 120 Oracle EBS victims to its leak site, with more than 30 organizations confirming breaches, including six educational institutions.
What Was Taken
The breach exposed a high-impact combination of personally identifiable information and financial data for 80,867 individuals. Confirmed compromised data includes:
- Full names
- Social Security numbers
- Direct deposit and banking information
The combination of SSN and direct deposit data is particularly dangerous, providing threat actors with the building blocks for synthetic identity fraud, tax fraud, ACH redirection schemes, and targeted payroll diversion attacks. Affected individuals are being offered complimentary access to Experian IdentityWorks identity theft protection services.
Why It Matters
This incident reinforces that Clop has cemented its operational model around mass-exploitation of enterprise SaaS and middleware zero-days, with universities emerging as a soft underbelly. Tulane joins a growing list of higher education victims from the Oracle EBS campaign, including Dartmouth College (99,596 affected), the University of Pennsylvania (46,491 affected), the University of Phoenix (3,489,274 affected), Harvard University, and South Africa's Wits University. The Tulane disclosure ranks as the third-largest confirmed ransomware breach against a US education provider in 2025 by records affected. With 54 confirmed ransomware attacks against US education in 2025 exposing over 4 million records, the sector remains a high-volume, high-yield target for double-extortion crews.
The Attack Technique
Clop exploited a zero-day vulnerability in Oracle E-Business Suite, a widely deployed enterprise resource planning platform used for HR, finance, and procurement workflows. Consistent with Clop's well-established TTPs against managed file transfer and enterprise application zero-days, including the prior MOVEit and Cleo file transfer exploits, the group focused on data exfiltration rather than file encryption. This "steal and extort" approach allows Clop to monetize breaches by leveraging victim publication on its leak site to pressure ransom payment, even when victims maintain operational continuity. Organizations running unpatched or delayed-patch Oracle EBS instances at the time of the campaign were swept up indiscriminately, with Clop scanning broadly for vulnerable deployments.
What Organizations Should Do
- Patch Oracle E-Business Suite immediately and audit all internet-exposed Oracle EBS instances for indicators of compromise tied to the Clop campaign.
- Hunt retroactively for exfiltration activity in EBS logs, including anomalous outbound data transfers, unexpected admin sessions, and unusual database queries during August through November 2025.
- Segment ERP and HRIS environments from general corporate networks and restrict internet exposure of administrative interfaces through VPN, ZTNA, or IP allowlisting.
- Implement egress monitoring and DLP controls on systems holding SSN, payroll, and direct deposit data to detect bulk exfiltration in progress.
- Review payroll and ACH change-control workflows to require out-of-band verification for direct deposit modifications, mitigating downstream fraud from leaked banking data.
- Establish a zero-day response playbook for enterprise SaaS and ERP platforms, including pre-authorized emergency patch windows and vendor advisory monitoring.