Full Report
GlobalLogic, a provider of digital engineering services part of the Hitachi group, is notifying over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. [...]
Analysis Summary
# Incident Report: GlobalLogic Oracle EBS Data Breach
## Executive Summary
GlobalLogic experienced a significant data breach affecting its Oracle E-Business Suite (EBS) environment, resulting in the theft of personal data belonging to 10,471 current and former employees. The incident was facilitated by the exploitation of an Oracle EBS zero-day vulnerability, likely associated with the Clop ransomware gang's ongoing campaign. The compromised data includes highly sensitive information such as SSNs, bank details, and HR records, necessitating broad notification efforts.
## Incident Details
- **Discovery Date:** After October 9, 2025 (when access/exfiltration was identified)
- **Incident Date:** Initial threat actor activity detected starting July 10, 2025, with exfiltration occurring on October 9, 2025. Most recent activity noted on August 20, 2025.
- **Affected Organization:** GlobalLogic (a Hitachi group company)
- **Sector:** Digital Engineering Services/Software and Product Development
- **Geography:** Based in Santa Clara, California, with global operations.
## Timeline of Events
### Initial Access
- **Date/Time:** Earliest activity detected July 10, 2025.
- **Vector:** Exploitation of an Oracle EBS zero-day vulnerability (suspected CVE-2025-61882).
- **Details:** Attackers gained access to the company's Oracle platform.
### Lateral Movement
- **Details:** Not explicitly detailed, but access was confined to the Oracle platform hosting HR information.
### Data Exfiltration/Impact
- **Date/Time:** October 9, 2025.
- **Details:** Personal information belonging to 10,471 employees was stolen from the Oracle EBS system.
### Detection & Response
- **Detection:** Identified internally following the data exfiltration on October 9, 2025.
- **Response Actions:** GlobalLogic began drafting and sending out required breach notifications to affected individuals as of November 2025 (based on the reporting date).
## Attack Methodology
- **Initial Access:** Exploitation of an Oracle EBS zero-day vulnerability (consistent with Clop's known methods).
- **Persistence:** Not explicitly detailed, but access was maintained between July and August 2025.
- **Privilege Escalation:** Assumed necessary to access HR data within the EBS system, but specific techniques are unknown.
- **Defense Evasion:** The use of a zero-day suggests initial evasion capabilities against standard signatures/patching.
- **Credential Access:** Unknown, but necessary to access and enumerate sensitive employee records.
- **Discovery:** Unknown targeted reconnaissance within the Oracle environment.
- **Lateral Movement:** Confined to the exploited Oracle platform.
- **Collection:** Gathering of highly sensitive HR data (names, SSNs, salary, bank details).
- **Exfiltration:** Unauthorized data extraction from the Oracle EBS platform on October 9, 2025.
- **Impact:** Confidentiality breach of employee Personal Identifiable Information (PII) and financial data.
## Impact Assessment
- **Financial:** Not disclosed; potentially includes regulatory fines and costs associated with remediation and notification.
- **Data Breach:** 10,471 current and former employees affected. Data includes: Name, address, phone number, emergency contact details, email addresses, date of birth, nationality, country of birth, passport information, national identifiers/tax identifiers (e.g., SSNs), salary information, and bank account details.
- **Operational:** The incident was isolated to the Oracle platform; no impact on systems outside this platform was reported.
- **Reputational:** Negative impact due to the large scale of employee data loss and association with major data extortion campaigns.
## Indicators of Compromise
- **Network indicators:** (None provided in the source material; system logs related to the zero-day exploit exploitation would be primary IOCs.)
- **File indicators:** (None provided in the source material.)
- **Behavioral indicators:** Unusual activity patterns within the Oracle EBS environment between July and August 2025, specifically related to bulk data queries or staging preceding the October 9 exfiltration.
## Response Actions
- **Containment measures:** Implied containment following the identification of exfiltration on October 9, 2025, likely involving patching/mitigating the zero-day vulnerability (if confirmed) and revoking unauthorized access.
- **Eradication steps:** Unknown, but would focus on removing threat actor access points in the Oracle EBS system.
- **Recovery actions:** Notification process initiated to over 10,000 affected individuals via official letters.
## Lessons Learned
- Reliance on a single, potentially monolithic application like Oracle EBS can concentrate risk, as demonstrated by the zero-day exploitation affecting numerous companies globally.
- The long dwell time (July 10 to October 9) between initial access and identified exfiltration highlights potential gaps in continuous monitoring of critical systems.
## Recommendations
- Immediately apply relevant security patches or implement compensating controls for the reported Oracle EBS zero-day vulnerability (CVE-2025-61882, if confirmed).
- Enhance monitoring, logging, and anomaly detection specifically within the Oracle E-Business Suite environment to reduce the dwell time of threat actors.
- Review and segment high-risk HR/financial data stores to minimize exposure should a key application be compromised.
- Conduct external penetration testing focused on known critical enterprise applications like Oracle EBS to preemptively discover exploitable flaws.