Hanover, N.H. — Dartmouth College, one of the United States’ oldest and wealthiest academic institutions, has disclosed a significant data breach after the Clop extortion group published files allegedly stolen from the university’s Oracle E-Business Suite systems. The attack, carried out in early August, exposed a trove of personal and financial information, raising new concerns about the vulnerability of higher-education institutions in an era of increasingly targeted ransomware operations.
In regulatory filings made public this week, Dartmouth said hackers exploited an Oracle zero-day vulnerability that allowed them to access confidential files over a three-day window between August 9 and August 12. A review completed in late October found that at least 1,494 individuals had their names and Social Security numbers compromised, though the true scope of the impact is expected to be significantly larger.
The university’s disclosure comes amid a widening campaign by Clop, whose operators have used the same flaw — tracked as CVE-2025-61882 — to infiltrate dozens of organizations, according to cybersecurity analysts.
A Vulnerability Exploited, and a Quiet Intrusion Uncovered
Dartmouth officials said the attackers took advantage of a previously unknown weakness in the school’s Oracle E-Business Suite, a powerful enterprise platform widely used for finance and administrative operations. The intrusion went undetected for three days, during which time an unauthorized actor siphoned data from internal systems.
The breach notification submitted to Maine’s Attorney General outlines the sensitivity of the stolen files: in addition to Social Security numbers, Dartmouth confirmed that bank account information was taken. Those affected were notified by mail beginning in early November.
The college has not publicly disclosed whether Clop demanded a ransom, nor has it explained whether negotiations took place. A Dartmouth spokesperson declined to comment, and federal investigators have not yet released details of any ongoing inquiries.
Part of a Broader Wave Targeting Elite Institutions and Major Companies
The Dartmouth breach is one node in a sprawling extortion campaign that has ensnared prominent organizations across multiple sectors. Cybersecurity specialists say Clop has spent months exploiting the Oracle zero-day in a coordinated effort to steal sensitive data rather than encrypt systems — a tactical shift common among modern ransomware groups.
Among the victims whose data has already surfaced on Clop’s dark-web leak site are Harvard University, The Washington Post, Logitech, GlobalLogic, and Envoy Air, a subsidiary of American Airlines. Analysts at Google’s Threat Intelligence Group estimate that dozens of organizations may have been compromised.
Clop’s track record adds weight to those concerns. In prior years, the group orchestrated major data-theft operations targeting Accellion FTA, GoAnywhere MFT, Cleo, and most notably MOVEit Transfer — an attack that affected more than 2,770 organizations worldwide.
The U.S. State Department has since offered a $10 million reward for information linking Clop’s operations to a foreign government.
The Higher-Education Sector Faces Intensifying Pressure
Universities — particularly Ivy League institutions — have emerged as increasingly attractive targets for hackers. Their networks store decades of personal data related to students, alumni, donors, faculty and researchers, and their distributed IT systems often combine legacy tools with modern cloud platforms, creating complex security environments.
In recent weeks alone, Harvard, Princeton and the University of Pennsylvania disclosed separate compromises, many involving voice-phishing operations that allowed hackers to penetrate internal development and alumni systems. The attacks exposed personal information belonging to thousands.
Higher-education cybersecurity officials say this is part of a broader trend. Universities often struggle with resource constraints and decentralized decision-making, leaving core administrative systems — such as Oracle E-Business Suite — vulnerable to sophisticated intrusions.
At Dartmouth, the compromised Oracle environment sits at the center of financial operations in a university with a $9 billion endowment and one of the smallest student-to-faculty ratios in the country. This concentration of sensitive data makes such systems attractive targets for extortion groups.
A Campaign Without an End in Sight
As Clop continues leaking data stolen from Dartmouth and other victims, security analysts warn that the number of affected individuals could grow dramatically in the coming months. For now, Dartmouth has urged those already identified to monitor their accounts and take steps to protect themselves from identity theft.
Experts say the breach underscores a broader shift in ransomware tactics: rather than encrypting systems, attackers increasingly rely on data theft alone — a method that reduces disruption for victims but expands the pressure to pay ransoms to avoid public exposure.
With no public statement yet on the ransom demand or negotiations, Dartmouth joins a growing list of institutions forced to grapple with the fallout of a sophisticated, multi-front intrusion.
For Ivy League universities facing simultaneous phishing campaigns, zero-day exploits and dark-web leaks, it is becoming clear that even the most well-resourced campuses are struggling to keep pace with a rapidly evolving threat landscape.
