University of Pennsylvania Data Breach Lawsuit Investigation
On December 1, 2025, the University of Pennsylvania disclosed that unauthorized actors accessed data within its Oracle E-Business Suite. If you received a breach notice, you may be entitled to free identity-protection services and potential compensation. Complete the form on this page to learn your rights.
What Happened?
The University of Pennsylvania (“Penn”) uses Oracle E-Business Suite (Oracle EBS) to manage supplier payments, reimbursements, and other financial operations. Oracle announced a previously unknown security vulnerability affecting EBS installations worldwide. Penn’s investigation, assisted by cybersecurity specialists and federal law-enforcement, confirmed that attackers exploited the flaw and obtained data stored in Penn’s EBS environment. On November 11, 2025, Penn determined that personal information belonging to certain individuals had been accessed.
Download Official Breach Notice (PDF)Data Involved
The notification indicates that personal information was among the data accessed. The university’s letter does not publicly detail the specific data elements but states it has found no evidence of misuse or public disclosure.
Response Measures
- Immediate investigation with outside cybersecurity experts
- Prompt application of all Oracle security patches addressing the vulnerability
- Cooperation with an ongoing federal law-enforcement investigation
- System hardening to prevent similar incidents
- Offering complimentary Experian IdentityWorks credit monitoring, identity-restoration support, and $1 million identity-theft insurance for 24 months
Your Next Steps
Penn recommends the following protective actions, which our legal team echoes:
- Enroll in the free Experian IdentityWorks service by the deadline listed in your letter.
- Review bank, credit-card, and government correspondence for unfamiliar activity and report anything suspicious immediately.
- Consult the “Reference Guide” attached to your letter for additional safeguards.
- Document any time or money spent responding to the breach; this information may support a future claim.
Can You File a Lawsuit?
If your personal information was compromised, you could be eligible for compensation for out-of-pocket losses, time spent addressing the breach, and future risk. Our firm is investigating potential claims against the University of Pennsylvania for failing to protect student, employee, and vendor information. Submit your details through the form on this page to receive a free, no-obligation case evaluation.
Company Overview
- Official website: upenn.edu
- Privacy policy: upenn.edu/privacy
- Headquarters: 3451 Walnut Street, Philadelphia, PA, United States
- Industry: Higher education
- Year founded: 1740
- Academic staff: Approximately 4,793
- Official social media: LinkedIn, Facebook, YouTube, Instagram
Frequently Asked Questions
I received a data breach letter from University of Pennsylvania — what should I do?
Follow the instructions in the letter, enroll in the complimentary Experian service before the stated deadline, and monitor your accounts for unusual activity. Save all related correspondence.
How do I submit a claim related to the University of Pennsylvania data breach?
Fill out the form on this page. Our legal team will review your information and explain your options for seeking compensation.
What information did the University of Pennsylvania breach expose?
The notice confirms that personal information was accessed but does not publicly specify the categories involved.
Did University of Pennsylvania offer credit monitoring, and for how long?
Yes. Penn is providing 24 months of Experian IdentityWorks credit monitoring, identity-restoration services, and a $1 million insurance policy.
How can I get the official breach notice (PDF) for the University of Pennsylvania incident?
Click the “Download Official Breach Notice (PDF)” button above to view the Attorney General filing.