A new disclosure that underscores the increasing sophistication of enterprise-level cyberattacks underscores the need to take proactive measures against them. GlobalLogic has begun notifying more than ten thousand of its current and former employees that their personal information was compromised as a result of a security breach connected to an Oracle E-Business Suite zero-day flaw.
An engineering services firm headquartered in the United States, owned by Hitachi, announced the breach to regulators after determining that an unknown attacker exploited an unpatched vulnerability in the Oracle platform, the core platform used to manage finance, human resources, and operational processes at the company, so that sensitive data belonging to 10,000 employees was stolen.
The Maine Attorney General's office reported to the Maine State Attorney General that attackers had infiltrated GlobalLogic's environment with an advanced SQL-injection chain mapped to MITRE techniques T1190 and T1040, deploying a persistent backdoor through an Oracle Forms vulnerability, obtaining extensive employee data, including identification, contact information, passport information, tax and salary data, and bank account numbers, as well as extensive employee records.
The signs of compromise point to a coordinated data-extortion campaign in which privilege-escalation events were used to maintain prolonged access to data. Indicators like malicious IP ranges and rogue domains indicate that the attack was coordinated. In the aftermath of Oracle's security patches being released, GlobalLogic announced that an immediate investigation had been conducted, and the company is now urging the rapid implementation of vendor updates, enhanced logging, and temporary hardening measures in order to mitigate further risk.
With Hitachi's acquisition of the company in 2021, it has now served more than 600 enterprise clients around the world, and the company has officially reported the breach to California and Maine regulators, who confirmed that more than 10,500 current and former employees' personal information was exposed in the attack.
During GlobalLogic's investigation, it was discovered that the intrusion was a part of a larger campaign that was coordinated by the Clop ransomware group, which has been exploiting a zero-day flaw in Oracle's E-Business Suite since at least July in order to snare huge amounts of corporate information. There have been reports that several companies have been caught in this wave of attacks, and many are only aware of their compromise after they receive extortion emails from extortionists. Analysts are claiming that dozens of companies have been compromised.
It is reported by GlobalLogic that the company discovered the breach on October 9 but it was later discovered that the attackers gained access to the server on July 10, with the most recent malicious activity occurring on August 20 according to GlobalLogic's filings. Despite the fact that the incident was contained to the Oracle platform, the sheer amount of sensitive and high-level data stolen—from contact information to internal identifiers to passports to tax records to salary information to bank account numbers—does not make it easy for the severity of the attack to be noted.
A spokesperson for the company said that they immediately activated their incident response protocols, notified the law enforcement, and consulted external forensic experts after the zero-day exploit was discovered (CVE-2025-61882) was discovered, and that Oracle's patch for the vulnerability (CVE-2025-61882) was applied once it was released.
Security researchers later confirmed that Clop hacked numerous victims over a period of several months by exploiting multiple vulnerabilities within the same platform, demanding ransoms that often reached eight-figure sums.
It has been reported that nearly 30 organizations are currently listed on Clop's website after a breach of their systems was discovered last week. If these organizations do not pay the restitution, they will face public exposure. The kind of information exposed in the GlobalLogic breach highlights how sophisticated the attackers were.
According to the company's disclosure, the stolen data was representative of a wide range of personal information that is typically kept in human resources systems, such as names, home addresses, telephone numbers, addresses for emergency contacts, and identifiers for internal employees.
There were a variety of individuals whose exposure to cyber attacks was far more in-depth and involved email addresses, dates and countries of birth, nationalities, passports, tax and national identification numbers such as Social Security details, salary information, and full banking credentials for their online banking accounts.
A ransomware group known as Clop has been associated with several high-profile Oracle EBS data theft operations, as well as adding major companies to its Tor-based leak site, including Harvard University, Envoy Air, and The Washington Post, whose stolen data is already available via torrent downloads from a number of sources.
Despite the fact that GlobalLogic's information has not yet appeared on the leak portal, security analysts have said that the omission may be indicative of ongoing negotiations, or that a ransom has already been paid by the company.
The company spokesperson refused to comment on whether any demands were being addressed, but confirmed Clop has publicly claimed responsibility for the breach.
Now that the gang is being questioned more closely by the U.S. authorities after previously exploiting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer in mass-scale data breaches, they are under greater scrutiny than ever before.
According to the State Department, there is a reward for intelligence that can be provided tying the group's operations to a foreign government worth up to $10 million.
In light of this incident, industry officials are calling for improved patch management, proactive threat hunting, and tighter oversight of third-party platforms supporting critical business operations that are used by critical business units.
According to GlobalLogic's analyst, the company's experience shows just how quickly a single vulnerability can lead to widespread damage when exploited by highly coordinated ransomware groups, particularly if the vulnerability has not yet been patched.
Despite continuing to investigate Clop's broader campaign, experts urge organizations to adopt continuous monitoring, strengthen vendor risk controls, and prepare for the likelihood that they will be the victim of future zero day exploits in the following years, as the modern enterprise threat landscape is now characterized by zero-day threats.
