Hitachi-owned GlobalLogic admits data stolen on 10k current and former staff

November 11, 2025 TH Author

Digital engineering outfit GlobalLogic says personal data from more than 10,000 current and former employees was exposed in the wave of Oracle E-Business Suite (EBS) attacks attributed to the Clop ransomware gang. The Hitachi-owned biz joins a growing roster of high-profile victims that also now includes The Washington Post and Allianz UK.

In a filing with Maine’s attorney general, the US-based GlobalLogic said that 10,471 individuals were affected after criminals gained unauthorized access to its systems.

In notification letters sent to those impacted, seen by The Register, GlobalLogic admitted the stolen data included names, addresses, Social Security numbers, passport information, and bank account details.

GlobalLogic said its investigation identified the earliest date of criminal activity as July 10, 2025, with the most recent occurring on August 20, 2025. This aligns with findings from Google Threat Intelligence Group (GTIG) and Mandiant, which said that suspicious HTTP traffic targeting Oracle EBS servers began in early July.

The disclosure makes GlobalLogic one of the latest victims of the widespread exploitation of Oracle EBS vulnerabilities disclosed earlier this year, which have since been linked to the Clop cybercrime group. The attackers are believed to have exploited flaws tracked as CVE-2025-61882 and CVE-2025-61884 in Oracle’s enterprise resource planning software, targeting organizations that left their systems exposed to the internet.

The same campaign has already hit a number of major companies. The Washington Post confirmed last week that it was among those affected. Allianz UK also confirmed earlier this week that it had been caught up in the same wave of attacks, telling The Register that 80 current and 670 former customers were impacted.

These confirmations come as Clop names almost 30 organizations allegedly exposed by the Oracle EBS campaign on Clop’s leak site. The listing, seen by The Register, spans sectors from healthcare and consumer electronics to finance, manufacturing, education, and media.

Big Red released emergency patches for the vulnerabilities in September, but researchers say many organizations were likely compromised before the updates became available. Clop has a history of rapidly exploiting newly disclosed flaws in widely used enterprise software, including Accellion, MOVEit, and GoAnywhere.

The scale of the campaign highlights how deeply embedded Oracle’s EBS platform remains in corporate environments, despite its age and complexity. First launched more than two decades ago, EBS integrates payroll, procurement, and HR systems, making it a valuable target for attackers seeking sensitive financial or employee information.

Unlike traditional ransomware campaigns that encrypt data, Clop’s operators increasingly focus on data theft and extortion, publishing stolen files on dark web leak sites to pressure victims into paying. That approach avoids the operational risks of deploying encryptors and has proven lucrative for the group in previous mass-exploitation incidents.

Oracle hasn’t commented publicly on the scale of the breaches and didn’t respond to The Register‘s questions, but Clop’s leak site continues to expand – suggesting the campaign is still very much active. ®