Parexel International, LLC, reported a data breach after detecting unauthorized access to part of its Oracle-hosted systems, potentially exposing sensitive personal information of its employees.
Parexel International, LLC recently experienced a data breach involving sensitive personally identifiable information. According to the filing, on October 4, 2025, Parexel identified suspicious activity affecting a portion of its Oracle OCI E-Business Suite (Oracle EBS) environment.
Following detection, Parexel launched an investigation to determine the scope and impact of the incident. The investigation confirmed that an unauthorized third party may have accessed employees' sensitive information stored in the Oracle EBS system. Parexel then conducted a review to identify the data elements involved and determine which individuals were affected.
The type of information potentially exposed varies by individual but may include names, Social Security numbers, dates of birth, financial account numbers, payment card numbers (without CVV), and national identification numbers.
In its notification to the Massachusetts Attorney General, Parexel stated it detected “suspicious activity impacting a portion of its Oracle OCI E-Business Suite environment.” The company also confirmed that “sensitive personal information may have been accessed by an unauthorized third party.”
Parexel began mailing notification letters to affected individuals on December 17, 2025, outlining the types of information impacted and the resources available to them.
There are several risks associated with third-party hosted enterprise systems, particularly in highly regulated industries like clinical research and pharmaceuticals. Even when patient data is not involved, employee data breaches can lead to identity theft, financial fraud, and long-term privacy risks.
The Parexel breach is part of a broader trend of Oracle E-Business Suite (EBS) vulnerabilities currently being exploited across industries. Similar incidents include the Barts Health NHS breach and the University of Phoenix data compromise, tied to attackers using Oracle EBS zero-day vulnerabilities to access sensitive personal and financial information.
Organizations relying on Oracle EBS or similar enterprise systems face a systemic risk of using third-party software that may introduce vulnerabilities that affect employees, customers, or patients. More specifically, the Parexel breach shows that organizations must improve their vendor risk management, continuous monitoring, and rapid incident response, as attacks on these platforms can have severe implications for privacy, compliance, and organizational reputation.
Read also: Consequences of a security breach
A zero-day vulnerability is a software flaw that is unknown to the vendor and can be exploited by attackers before a patch is available.
Third-party risk management evaluates the security and compliance practices of vendors that handle or have access to sensitive data, minimizing potential exposure.
An incident response plan is a predefined set of procedures an organization follows after detecting a data breach, including investigation, notification, mitigation, and recovery.