Digital engineering firm GlobalLogic has confirmed that a large-scale data breach, linked to the notorious Clop ransomware gang, exposed the personal information of 10,471 current and former employees. The Hitachi-owned company filed a disclosure with Maine’s attorney general, acknowledging that criminals gained unauthorized access to their systems. According to notification letters sent to those affected, the stolen data is highly sensitive, comprising names, addresses, Social Security numbers, passport details, and bank account information. The period of unauthorized activity was identified as beginning on July 10, 2025, and concluding on August 20, 2025, aligning with broader threat intelligence reports indicating suspicious HTTP traffic targeting Oracle EBS servers starting in early July.
The disclosure positions GlobalLogic as one of the most recent victims in a widespread campaign exploiting vulnerabilities within the Oracle E-Business Suite (EBS), a campaign now strongly associated with the Clop cybercrime group. Attackers are believed to have leveraged security flaws tracked as CVE-2025-61882 and CVE-2025-61884 in the enterprise resource planning software, specifically targeting organizations whose EBS systems were accessible via the public internet. This systematic exploitation has already impacted numerous major corporations, with The Washington Post and Allianz UK recently confirming their involvement. Allianz UK, for instance, reported that 80 current and 670 former customers were affected, as Clop continues to list nearly 30 allegedly compromised organizations across multiple sectors on its dark web leak site.
While Oracle released emergency patches for the exploited vulnerabilities in September, many organizations were likely compromised before these updates were made available. This reflects Clop’s established strategy of rapidly exploiting newly disclosed flaws in widely used enterprise platforms, a tactic they have previously employed against software from vendors like Accellion, MOVEit, and GoAnywhere. The sheer scale of the current campaign underscores the deeply rooted and critical presence of Oracle’s EBS platform within the corporate world. Despite its age and inherent complexity, the system, which integrates essential functions like payroll, procurement, and HR, remains an extremely valuable target for threat actors seeking financial or employee data.
The methodology employed by Clop’s operators in this incident signals a shift away from traditional ransomware encryption toward pure data theft and subsequent extortion. By focusing solely on exfiltrating data and publishing stolen files on leak sites, the group successfully pressures victims into paying a ransom. This approach eliminates the operational risks associated with deploying encryptors and has proven to be a highly lucrative model for the cybercrime group in previous mass-exploitation events.
As the scale of these breaches continues to emerge, Oracle has yet to provide public commentary on the full extent of the compromises. Regardless, Clop’s dedicated leak site continues to expand its list of alleged victims. This ongoing growth strongly indicates that the campaign exploiting the critical Oracle EBS vulnerabilities remains active and is likely to claim additional corporate victims in the near future.v
Reference:
