Dartmouth College has confirmed that a three-day cyberattack in August compromised the personal information of more than 40,000 people, including Social Security numbers and financial account details, in what has become one of the most significant data breaches to hit higher education this year.
The attack, disclosed in breach notifications filed with state attorneys general last week, is part of a sweeping campaign that has hit more than one-hundred organizations worldwide, according to security researchers. The perpetrators exploited a previously unknown vulnerability in Oracle’s E-Business Suite, the enterprise software Dartmouth and thousands of other institutions use to manage everything from payroll to procurement.
The Cl0p ransomware gang has claimed responsibility for the campaign on its dark web leak site, where it has posted stolen data from multiple victims including Dartmouth. Security firms CrowdStrike and Google’s Threat Intelligence Group have independently attributed the exploitation campaign to Cl0p, with Google researchers noting overlap with infrastructure and tactics previously linked to the group.
For the victims receiving notification letters this month, the breach represents a textbook example of supply chain risk: Dartmouth did nothing wrong. No employee clicked a malicious link. No password was guessed. The college’s own systems were not directly hacked. Instead, attackers found a hidden flaw in software the institution trusted, and used it to steal files containing some of the most sensitive information an organization can hold.
The breach affected 31,742 New Hampshire residents and 12,701 Vermonters, according to filings with those states’ attorneys general. Dartmouth also filed breach notices in Maine, California and Texas, meaning the combined total exceeds 44,000, though the college has not disclosed a comprehensive figure. The compromised data includes names combined with Social Security numbers and, in some cases, bank account information.
“The breach involved the disclosure of names, combined with Social Security numbers, possibly bank accounts, and occurred in a three-day period in mid-August,” Vermont Attorney General Charity Clark told WCAX.
The attackers struck between August ninth and August twelfth, weeks before Oracle even knew the vulnerability existed. Google’s researchers confirmed that Cl0p had been exploiting the flaw, tracked as CVE-2025-61882, as a zero-day since at least early August, with suspicious reconnaissance activity dating back to July. The vulnerability carries a CVSS score of 9.8 out of 10, making it as severe as security flaws get.
Oracle did not issue a patch until October fourth, nearly two months after the initial attacks began. By then, the damage was done.
FBI Assistant Director Brett Leatherman called it a “stop what you’re doing and patch immediately” vulnerability in a LinkedIn post urging organizations to act. The Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalog on October sixth, mandating that federal agencies patch within days.
Dartmouth is not alone among elite universities. Harvard confirmed in October that attackers had accessed data from what a spokesperson described as “a small administrative unit” using the same Oracle flaw. The University of Pennsylvania disclosed a similar breach last week, affecting at least 1,488 individuals according to state filings. Cl0p has also claimed victims including The Washington Post, Logitech and American Airlines subsidiary Envoy Air posting stolen data to its leak site and making it available for download via torrent.
For those familiar with Cl0p’s tactics, the Oracle campaign follows a well-established playbook. In 2023, the group exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer tool, ultimately compromising more than 2,000 organizations and exposing the personal data of tens of millions of individuals, according to researchers tracking the campaign. The ransomware response firm Coveware estimated Cl0p earned roughly $75 million from MOVEit alone.
The group’s strategy is consistent: identify widely used enterprise software, find or acquire a zero-day exploit, then hit as many targets as possible before patches are available. Researchers at Cybereason, who have been tracking the Oracle campaign, described Cl0p’s methodology: “CL0P often conducts extensive reconnaissance, custom code development, CVE attack chaining and coordinates mass scale victimization in rapid, iterative, and sometimes parallel succession.”
What makes zero-day attacks particularly difficult to defend against is that organizations have no warning. Traditional security measures — firewalls, antivirus software, employee training — cannot stop an attacker exploiting a vulnerability that no one knows exists. The flaw was in Oracle’s code. Dartmouth was simply running the software as designed.
“This incident was not the result of any ‘phishing’ attack on a member of the Dartmouth community or any other action or inaction on Dartmouth’s part,” college spokesperson Jana Barnello said.
Clark, the Vermont attorney general, said the incident should prompt legislative action. “Our Legislature in Vermont has had many opportunities to pass a comprehensive data privacy law that would hopefully reduce the number of data breaches we see and also minimize the harm that could potentially occur if there is a data breach,” she said. “That really, in my mind, is the place we should be focusing.”
Dartmouth has implemented all publicly available patches from Oracle and established a dedicated assistance line for affected individuals. The college is offering one year of complimentary identity monitoring through Experian IdentityWorks to anyone whose Social Security number was exposed. Enrollment must be completed by February 28, 2026.
For anyone who received a notification letter, the immediate steps are straightforward: enroll in the free credit monitoring, place fraud alerts or security freezes with the three major credit bureaus, and monitor financial statements closely for the next 12 to 24 months. Social Security numbers do not expire. Once stolen, they retain value to criminals indefinitely.
The larger question is how organizations can protect themselves when the software they rely on contains flaws no one has yet discovered. The answer, uncomfortable as it may be, is that complete protection is impossible. What matters is how quickly vulnerabilities are patched once known, how effectively organizations monitor for signs of compromise, and how transparently they communicate with victims when breaches occur.
