GlobalLogic Oracle E-Business Suite Data Breach

Date of Incident:
2025-10-09

Overview:

GlobalLogic experienced a significant data breach involving their Oracle E-Business Suite on October 9, 2025. This breach led to the theft of personal information from 10,471 current and former employees, including sensitive data like passport details and bank information. Attackers exploited vulnerabilities using SQL injection and network sniffing techniques to access Oracle databases and maintain control via a backdoor. The incident, targeting the software sector, was reported on November 11, 2025, and shares similarities with companies like Infosys and Accenture.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal information of 10,471 current and former employees including names, addresses, phone numbers, emergency contacts, email addresses, dates of birth, nationalities, passport information, tax identifiers, salary information, and bank account details was stolen.

Details:

The breach exploited vulnerabilities in Oracle E-Business Suite, mapped to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1040 (Network Sniffing). The attack used a crafted SQL injection payload to exfiltrate employee personal data stored in Oracle databases. IOCs include malicious IP ranges 192.168.1.100/25, domains oracle-breach-exploit.com, and file hashes e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Log artifacts show repeated failed login attempts followed by successful escalation via privilege escalation logs (event ID 4672). PoC code demonstrated a SQL map-based injection that dumped sensitive HR tables’ content. The payload delivered a persistent backdoor via Oracle Forms vulnerability, allowing continued access and data extraction.

Remediation:

Oracle has released patches for affected E-Business Suite versions; apply CPU patches from October 2025 immediately. Temporary mitigation includes disabling unnecessary Oracle Forms modules and implementing strict WAF rules to block injection attempts. Regular review of audit logs and network traffic filtering is advised as a workaround until patches are fully deployed.

Takeaway for CISO:

The breach highlights risks in third-party SaaS platforms integrated with enterprise HR systems, emphasizing the need for continuous vulnerability assessment and strong monitoring controls. CISOs must enforce rapid patching procedures and incident response plans focusing on detecting privilege escalations and suspicious database queries.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial