Cyber Incident Victim: Tulane University

On August 10, 2025, Tulane University experienced unauthorized access to certain files stored in its Oracle E-Business Suite system after attackers exploited a zero‑day vulnerability in the software. The university uses the Oracle platform to manage human resources data, which includes employee and affiliate records. Upon discovering the intrusion, Tulane initiated an internal investigation, notified law enforcement, and applied the security patches released by Oracle to address the vulnerability. The institution continued to monitor its systems for further anomalous activity while the investigation proceeded. Tulane University did not publicly disclose the incident until months later, when it informed affected individuals that a breach had occurred.

On March 12, 2026, Tulane University announced that its investigation had confirmed that the unauthorized access on August 10, 2025, had resulted in the exposure of personal information belonging to individuals whose data resided in the compromised HR system. The exposed data included names, Social Security numbers, direct deposit details, and banking information. The university stated that individuals who received a data breach notification were considered to be at an increased risk of identity theft and fraud as a consequence of the exposure. In conjunction with the disclosure, Tulane indicated that it had cooperated with law enforcement throughout the investigation and had completed remediation steps such as patching the vulnerable software. Following the announcement, the national class action law firm Edelson Lechtzin LLP began investigating potential claims on behalf of those whose personal information may have been compromised in the incident.