When personal information falls into the wrong hands, the consequences can last a lifetime. A recent class action lawsuit filed against Oracle Corporation and the University of Pennsylvania highlights the serious risks individuals face when organizations fail to protect sensitive data. The lawsuit, filed by plaintiff Lasha Vample, alleges that inadequate security measures led to a massive data breach compromising potentially hundreds of thousands of individuals’ most private information.
What Happened in the Oracle and Penn Data Breach?
On October 31, 2025, the University of Pennsylvania discovered that select information systems related to its development and alumni activities had been compromised. The breach involved a third-party Oracle software application called Oracle EBS—a financial application used to process supplier payments, reimbursements, and conduct other university business. According to the breach notice sent to affected individuals, Oracle had announced a “previously unknown security vulnerability” that allowed unauthorized access to Oracle EBS and the data stored within it.
The compromised information was extensive and deeply personal, including:
- Names and addresses
- Social Security numbers
- Financial account information
- Phone numbers and email addresses
- Dates of birth
- Tax identification numbers
According to cybersecurity sources, the Clop ransomware group claimed responsibility for the attack, stating they gained full access to an employee’s PennKey SSO account. This access reportedly allowed them to infiltrate Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files. The hackers allegedly exfiltrated data for approximately 1.2 million students, alumni, and donors, including sensitive demographic details such as religion, race, sexual orientation, estimated net worth, and donation history.
Perhaps most concerning, the lawsuit alleges that Defendants delayed notifying affected individuals for over two months. Penn didn’t begin notifying victims until December 1, 2025—a delay that potentially increased the harm by giving criminals more time to exploit the stolen information before victims could take protective measures.
Why This Data Breach Is Particularly Dangerous
The type of information compromised in this breach makes it especially valuable to identity thieves and particularly damaging to victims. Unlike credit card numbers, which can be canceled and replaced, Social Security numbers cannot be changed. Once this information is stolen, it creates a lifetime risk of identity theft and fraud.
The dark web marketplace for stolen data reveals just how valuable this information is. According to industry experts, personally identifiable information and Social Security numbers are worth more than ten times the value of credit card information on the black market. Personal information can sell for $40 to $200, while complete identity packages fetch even higher prices. This stolen data often remains dormant for months or even years before being used, meaning victims may not discover fraudulent activity until significant damage has already occurred.
Identity thieves can use stolen Social Security numbers and personal information for numerous malicious purposes:
- Opening fraudulent credit accounts: Criminals can apply for credit cards, loans, and lines of credit in victims’ names, destroying credit scores and creating financial chaos
- Filing false tax returns: Thieves file fraudulent tax returns to claim refunds before legitimate taxpayers can file
- Obtaining medical services: Using victims’ identities to receive medical treatment, which can corrupt medical records and create dangerous health information errors
- Securing employment: Using stolen Social Security numbers to obtain jobs, which can create tax problems and affect Social Security benefits
- Committing crimes: Providing false identification to law enforcement, potentially creating criminal records under victims’ names
The lawsuit emphasizes that the unencrypted nature of the stored data significantly increased the risk. Industry standards and federal guidelines have long recommended encryption of sensitive data, particularly Social Security numbers. The failure to encrypt this information represents a fundamental breach of data security best practices.
The Legal Claims: What Defendants Are Accused Of
