Dartmouth College has officially confirmed it was the target of a cyberattack by the notorious Clop ransomware group. The breach, which occurred over several days in August, resulted in the theft of sensitive personal information, including Social Security Numbers and financial account details.
The Ivy League institution disclosed the incident in a filing with the Maine Attorney General's office, stating that attackers exploited a critical vulnerability in its Oracle E-Business Suite (EBS) software. The university began notifying affected individuals on November 24.
Key Takeaways
- Dartmouth College has confirmed a data breach executed by the Clop cybercrime group.
- Attackers exploited a zero-day vulnerability in Oracle's E-Business Suite software between August 9 and August 12.
- The personal data of at least 1,494 Maine residents, including Social Security Numbers and financial information, was stolen.
- The incident is part of a larger, widespread campaign by Clop that has affected numerous major organizations.
Details of the Dartmouth Security Incident
The security breach at Dartmouth College took place over a three-day period, from August 9 to August 12. During this window, cybercriminals accessed and exfiltrated multiple files from the university's systems. The attackers leveraged a previously unknown, or "zero-day," vulnerability in Oracle's widely used enterprise software.
According to the notification, the stolen data includes names and Social Security Numbers. For some individuals, financial account information was also compromised. While the filing specifies that 1,494 residents of Maine were impacted, the total number of victims from other states has not yet been publicly disclosed.
In response to the attack, Dartmouth stated it immediately took steps to secure its systems and launched an investigation. The university has also notified law enforcement agencies and is now in the process of informing those whose data was exposed.
University's Response and Mitigation Efforts
Dartmouth College has taken several actions following the discovery of the breach. The university confirmed it has applied all available security patches released by Oracle since the incident. Furthermore, it plans to enhance the oversight of its third-party vendors' security protocols. As a protective measure, Dartmouth is offering one year of complimentary credit monitoring services to individuals whose Social Security Numbers were compromised in the attack.
A Pattern of Widespread Attacks
The incident at Dartmouth is not an isolated event but rather a single component of a much larger, coordinated campaign by the Clop group. This Russia-linked cybercrime organization has a well-established history of targeting major corporations and institutions by exploiting vulnerabilities in popular enterprise software.
Clop's strategy typically involves identifying a zero-day flaw, exploiting it on a massive scale against numerous organizations simultaneously, and then stealing large volumes of data for extortion purposes. Unlike traditional ransomware that encrypts files, Clop focuses on data theft and the threat of public release.
A Growing List of Victims
The campaign targeting Oracle's E-Business Suite has affected several high-profile organizations. Victims of the same wave of attacks include:
- The Washington Post: Nearly 10,000 employees and contractors affected.
- Cox Enterprises: Data of almost 10,000 individuals compromised.
- Allianz UK: The UK branch of the global insurance giant.
- GlobalLogic: A technology company owned by Hitachi.
- Envoy Air: A subsidiary of American Airlines.
This pattern demonstrates Clop's ability to execute sophisticated, large-scale attacks that impact thousands of individuals across different sectors, from media and technology to higher education and aviation.
The Persistent Threat of Software Vulnerabilities
This series of attacks highlights the significant risks associated with enterprise software, which often handles vast amounts of sensitive financial and personal data. The reliance on such platforms makes them a high-value target for cybercriminals.
The situation for Oracle users is further complicated by the emergence of other security flaws. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a separate, actively exploited vulnerability in Oracle Identity Manager to its catalog of known threats.
This flaw, identified as CVE-2025-61757, was being used by attackers for months before a patch was released. CISA has mandated that all federal agencies apply the necessary fix by December 12, signaling the severity of the threat.
The continued discovery of critical vulnerabilities underscores the challenge organizations face in securing complex software environments against determined and well-resourced attackers.
For institutions like Dartmouth, the breach serves as a stark reminder of the importance of rapid patching, continuous system monitoring, and rigorous security assessments for all software vendors. As Clop and other groups continue to refine their tactics, organizations running critical enterprise systems remain on high alert.