Schneider Electric and Emerson Named in Oracle E-Business Suite Data Breach

Two major industrial technology firms — Schneider Electric and Emerson — have been named by cybercriminals as victims in the widespread Oracle E-Business Suite (EBS) exploitation campaign. This large-scale cyberattack, attributed to a profit-driven cluster linked to FIN11, involves data theft from dozens of organizations across multiple sectors.

The Cl0p ransomware group, which previously orchestrated similar attacks against MOVEit, Cleo, and Fortra file transfer systems, is believed to be behind the latest Oracle EBS campaign. The group has begun naming alleged victims and leaking data on its dark web leak site, a common extortion tactic used to pressure organizations into paying ransoms.

Data Leak and Victim Details

According to listings on the Cl0p leak website, the attackers claim to have exfiltrated:

• 2.7 terabytes (TB) of archive data allegedly belonging to Emerson

• 116 gigabytes (GB) of archive files allegedly linked to Schneider Electric

SecurityWeek conducted a structural analysis of the leaked file trees and associated metadata, finding strong indications that both datasets originated from Oracle EBS environments. Independent cybersecurity researcher Dominic Alvieri has also corroborated that the stolen data likely resulted from the Oracle vulnerability exploitation.

Both Schneider Electric and Emerson have yet to issue public statements or respond to requests for comment, suggesting internal investigations are ongoing.

Scope of the Oracle EBS Breach

The Oracle EBS campaign has impacted numerous organizations globally, spanning education, aviation, and industrial sectors. Confirmed victims include Harvard University, South Africa’s University of the Witwatersrand, and Envoy Air, a subsidiary of American Airlines.

Researchers believe the attackers leveraged a mix of known vulnerabilities and zero-day exploits in Oracle EBS, using them to gain unauthorized access to enterprise systems and extract sensitive corporate data.

Historical Context and Repeated Targeting

This incident marks yet another attack against both Schneider Electric and Emerson, which have previously been targeted by ransomware groups. In 2024, the Medusa ransomware gang claimed to have stolen nearly 1 TB of data from Emerson, demanding a $100,000 ransom. Schneider Electric has also confirmed multiple cyber incidents over the past year involving data exposure and extortion attempts.

Broader Implications

The Oracle EBS campaign highlights a growing trend of exploitation against enterprise management systems, which often store critical operational and financial data. For industrial giants like Schneider Electric and Emerson, such breaches pose not only data privacy risks but also potential threats to industrial control systems (ICS) and supply chain security.

While it remains unclear whether Cl0p’s latest claims are fully accurate, the group’s historical consistency and the evidence analyzed so far strongly suggest that the Oracle EBS breach is a credible and large-scale compromise.

Takeaway

Organizations relying on enterprise software such as Oracle EBS must ensure timely patching, network segmentation, and proactive monitoring to mitigate risks from both known and emerging exploitation campaigns.