Full Report
Body confirms patient and staff details siphoned via Oracle EBS flaw as gang threatens to leak haul Barts Health NHS Trust has confirmed that patient and staff data was stolen in Clop's mass-exploitation of Oracle's E-Business Suite (EBS), and says it is now taking legal action in an effort to stop the gang publishing any of the snatched information.…
Analysis Summary
# Incident Report: Clop Exploitation of Barts Health NHS Trust Oracle EBS
## Executive Summary
Barts Health NHS Trust confirmed that patient and staff data was exfiltrated following the mass exploitation campaign by the Clop ransomware group targeting vulnerable Oracle E-Business Suite (EBS) instances. The breach was discovered in November 2025 after data appeared on the dark web, though the theft occurred in August. The Trust is now pursuing legal action to prevent the publication of the sensitive data.
## Incident Details
- Discovery Date: November 2025 (when files were posted on the dark web)
- Incident Date: August 2025 (when theft occurred)
- Affected Organization: Barts Health NHS Trust
- Sector: Healthcare (NHS)
- Geography: London, UK
## Timeline of Events
### Initial Access
- Date/Time: August 2025 (implied start of Clop's global EBS raid)
- Vector: Exploitation of unpatched Oracle EBS vulnerability (CVE-2025-61882).
- Details: Attackers exploited a critical flaw in Oracle EBS allowing unauthenticated data theft, likely prior to Oracle releasing a fix on October 4, 2025.
### Lateral Movement
- Details: Not explicitly documented in the summary, but the scope suggests the attackers accessed data within the vulnerable EBS environment. Core IT infrastructure and electronic patient/clinical systems were reported as unaffected.
### Data Exfiltration/Impact
- Date/Time: Occurred in August 2025.
- Details: Patient and staff personal details, including names and addresses of individuals liable for treatment costs, and personal details of former staff who owed money to the trust were siphoned. Documents related to accounting services provided to Barking, Havering, and Redbridge University Hospitals NHS Trust were also compromised. Almost half of the compromised files listed supplier details.
### Detection & Response
- Detection: November 2025, when files were posted on the dark web.
- Response actions: Investigation initiated; Barts Health confirmed data exfiltration; Collaboration with NHS England, the National Cyber Security Centre (NCSC), and the Metropolitan Police; Seeking a High Court order to ban the publication and sharing of the stolen data.
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-61882** in Oracle EBS (Unauthenticated data theft).
- Persistence: Not specified, likely limited to the duration of the exploit window.
- Privilege Escalation: Not explicitly detailed, but gaining access to sensitive data implies necessary access/privileges within the EBS application context.
- Defense Evasion: The zero-day (or recently disclosed critical) nature of the flaw inherently bypassed typical security controls for the EBS application.
- Credential Access: Not specified, but data theft was achieved via remote exploitation of the vulnerability, not necessarily credential harvesting.
- Discovery: Implied internal reconnaissance within the targeted EBS environment to locate sensitive files.
- Lateral Movement: Limited to the scope of the affected EBS instance and associated shared document storage.
- Collection: Gathering patient/staff personally identifiable information (PII) and supplier/financial documents.
- Exfiltration: Data theft via the Oracle EBS vulnerability mechanism to the threat actor.
- Impact: Data compromise and extortion threat.
## Impact Assessment
- Financial: Costs associated with investigation, legal action (seeking High Court order), and potential regulatory fines (not quantified).
- Data Breach: PII of current and former staff, patient financial/personal details (names, addresses), and supplier data. Affects Barts Health and BARTS's accounting service data for another NHS Trust.
- Operational: Core clinical and electronic patient record systems remain secure, limiting direct operational impact, but necessitating significant compliance/legal focus.
- Reputational: High-profile victim status in the UK healthcare sector; ongoing threat of data publication.
## Indicators of Compromise
(Note: Specific IOCs were not provided in the summary text.)
- Network indicators: [Unspecified IP addresses or domains associated with the Clop group's exfiltration channels - defanged]
- File indicators: [Specific file hashes of leaked data sets - defanged]
- Behavioral indicators: Unauthenticated data extraction requests against the Oracle EBS application server.
## Response Actions
- Containment measures: Not specified, but implied immediate mitigation efforts focusing on the vulnerable EBS instance (likely patching, isolation, or decommissioning).
- Eradication steps: Thorough forensic analysis to confirm the full scope of data accessed.
- Recovery actions: Pursuing injunctions to prevent data leakage; Notifying affected individuals and regulatory bodies.
## Lessons Learned
- Unpatched critical vulnerabilities (like CVE-2025-61882) in widely used enterprise applications (Oracle EBS) pose a significant, easily monetized risk to large organizations.
- The long dwell time (August theft revealed in November) highlights gaps in proactive vulnerability monitoring or internal detection capabilities regarding data exfiltration, even if the initial exploitation was blind to the organization.
- Critical business applications must be prioritized for rapid patching following vendor advisories, especially when known to be targeted.
## Recommendations
- Immediately apply vendor-released patches for all enterprise systems, especially those facing the internet (e.g., Oracle EBS patches released October 4, 2025).
- Implement network segmentation and strict egress monitoring around critical application servers (like EBS) to detect and alert on large, unexpected data transfers out of bounds.
- Enhance threat hunting capabilities targeted at application-level anomalies rather than relying solely on perimeter defenses, given the nature of this successful exploitation.