Dartmouth Breach Exposes 44,000 in Clop Oracle Campaign

Dartmouth College confirmed that Russian ransomware group Clop stole personal information belonging to more than 44,000 people during an August 2025 attack. The breach is part of a broader campaign exploiting a critical vulnerability in Oracle's E-Business Suite that has affected over 100 organizations including Harvard University and the University of Pennsylvania.

Clop posted the stolen data on its dark web leak site after the college apparently declined to pay a ransom. The 226GB dump includes names, Social Security numbers, and financial account information.

What Happened

The attack occurred over three days from August 9 to August 12, 2025. Clop exploited CVE-2025-61882, a vulnerability in Oracle E-Business Suite carrying a CVSS score of 9.8—about as severe as flaws get.

Oracle E-Business Suite handles enterprise functions like payroll, procurement, HR, and financial management. At a university, that means student records, employee information, research grant data, and financial aid details all flow through the system.

The vulnerability gave Clop's operators access to Dartmouth's Oracle deployment. From there, they exfiltrated data over several days before anyone noticed.

According to breach notifications:

• 31,742 New Hampshire residents affected
• 1,494 Maine residents affected
• Total victim count exceeds 44,000

The actual exposure likely runs higher. Those figures represent only the states where Dartmouth has filed notifications so far.

What Was Stolen

The compromised data includes:

• Full names
• Social Security numbers
• Financial account information
• Potentially other personal details stored in Oracle EBS

This combination enables identity theft, tax fraud, and account takeover attacks. Social Security numbers can't be changed—victims carry this exposure indefinitely.

Clop's Oracle Campaign

Dartmouth isn't an isolated incident. Clop has been systematically exploiting CVE-2025-61882 across organizations running Oracle E-Business Suite. Other confirmed victims include:

• Harvard University
• University of Pennsylvania
• GlobalLogic
• Envoy Air (American Airlines subsidiary)
• Canon
• Mazda
• The Washington Post
• Logitech

The University of Phoenix disclosed a similar breach affecting 3.5 million individuals—also traced to Clop exploiting Oracle EBS.

This mirrors Clop's playbook from 2023, when the group exploited MOVEit Transfer vulnerabilities to compromise hundreds of organizations. Rather than deploying ransomware encryption, Clop focuses on data theft and extortion. If victims don't pay, the data gets published.

Dartmouth's Response

The college issued breach notifications in early January 2026, roughly five months after the attack. The notification states:

"Dartmouth is reviewing the data involved and will notify and offer support to individuals whose data was included in this incident in accordance with applicable law."

Affected individuals receive one year of complimentary identity theft protection through Experian IdentityWorks. The enrollment deadline is February 28, 2026.

One year of credit monitoring is the standard corporate response to breaches, though security researchers consistently note it's inadequate given the permanent nature of SSN exposure. The stolen data can be weaponized years from now.

What Victims Should Do

If you received a notification from Dartmouth:

1. Enroll in the credit monitoring - Free is better than nothing, even if limited
2. Freeze your credit - Contact Equifax, Experian, and TransUnion to place freezes
3. Monitor financial accounts - Watch for unauthorized transactions or new accounts
4. File an IRS Identity Protection PIN - Prevents tax refund fraud using your SSN
5. Be skeptical of follow-up contacts - Scammers often target breach victims with fake "assistance" offers

The Broader Problem

Universities remain attractive targets for ransomware groups. They hold valuable personal data, often run legacy systems, and historically underinvest in security compared to financial or healthcare organizations.

The Oracle E-Business Suite vulnerability demonstrates how enterprise software creates systemic risk. When hundreds of organizations depend on the same platform, a single vulnerability becomes a master key for attackers willing to exploit it at scale.

Clop clearly recognized this. Rather than targeting organizations individually, they built infrastructure to exploit CVE-2025-61882 across the entire vulnerable population. The efficiency is brutal: one vulnerability, hundreds of victims, millions of exposed records.

Organizations still running unpatched Oracle E-Business Suite installations should assume compromise and begin forensic investigation immediately.