Dartmouth College suffered a major cybersecurity breach after the **Cl0p ransomware gang** exploited a **zero-day vulnerability (CVE-2025-61884)** in its **Oracle E-Business Suite (EBS)** system. The attackers gained unauthorized access between **August 9–12, 2025**, exfiltrating **226GB of sensitive data**, including **Social Security numbers (SSNs), bank account details (with routing numbers), personal names, and other PII** of at least **1,494 individuals** (primarily Maine residents), though the total impact is likely far larger. Despite Oracle releasing patches in **October 2025**, Dartmouth’s forensic investigation confirmed the breach only on **October 30, 2025**, with Cl0p later **leaking the stolen data** on its dark web site in **November 2025**. The incident highlights the gang’s targeted campaign against **higher education institutions** via unpatched EBS vulnerabilities, exposing victims to **identity theft, financial fraud, and long-term reputational harm**. The breach underscores critical failures in **patch management, access controls, and incident response** within the college’s ERP infrastructure.
Dartmouth College cybersecurity rating report: https://www.rankiteo.com/company/dartmouth-college
"id": "DAR1335913112725",
"linkid": "dartmouth-college",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,494+ (confirmed Maine '
'residents; total unknown)',
'industry': 'Higher Education',
'location': 'Hanover, New Hampshire, United States',
'name': 'Dartmouth College',
'type': 'Educational Institution (Private Ivy League '
'University)'},
{'industry': 'Higher Education',
'location': 'Cambridge, Massachusetts, United States',
'name': 'Harvard University',
'type': 'Educational Institution (Private Ivy League '
'University)'},
{'industry': 'Higher Education',
'location': 'Illinois, United States',
'name': 'Southern Illinois University',
'type': 'Educational Institution (Public University '
'System)'},
{'industry': 'Higher Education',
'location': 'New Orleans, Louisiana, United States',
'name': 'Tulane University',
'type': 'Educational Institution (Private Research '
'University)'},
{'customers_affected': '~10,000 individuals',
'industry': ['Media',
'Telecommunications',
'Automotive Services'],
'location': 'Atlanta, Georgia, United States',
'name': 'Cox Enterprises',
'type': 'Corporation (Media & Telecommunications '
'Conglomerate)'},
{'industry': 'Technology',
'location': 'Tokyo, Japan',
'name': 'Canon Inc.',
'type': 'Corporation (Multinational Imaging & Optical '
'Products)'},
{'industry': 'Automotive',
'location': 'Hiroshima, Japan',
'name': 'Mazda Motor Corporation',
'type': 'Corporation (Automobile Manufacturer)'}],
'attack_vector': 'Exploitation of Oracle EBS Zero-Day Vulnerability '
'(CVE-2025-61884) via remote access without authentication',
'customer_advisories': ['Monitor financial accounts for fraudulent activity.',
'Place fraud alerts or credit freezes with credit '
'bureaus.',
'Beware of phishing attempts using exposed PII.',
'Report suspicious activity to Dartmouth College’s IT '
'security team.'],
'data_breach': {'data_exfiltration': '226GB of data leaked on Cl0p’s dark web '
'site',
'number_of_records_exposed': '1,494+ (confirmed; total likely '
'higher)',
'personally_identifiable_information': ['Social Security '
'Numbers (SSNs)',
'Bank Account '
'Information',
'Names',
'Other PII'],
'sensitivity_of_data': 'High (SSNs, bank account details, '
'PII)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Employee/Student Records']},
'date_detected': '2025-10-01T00:00:00Z',
'date_publicly_disclosed': '2025-11-01T00:00:00Z',
'description': 'The Cl0p ransomware gang exploited a zero-day vulnerability '
'(CVE-2025-61884) in Oracle E-Business Suite (EBS) at '
'Dartmouth College, leaking 226GB of sensitive data, including '
'Social Security numbers (SSNs) and bank account details of at '
'least 1,494 individuals (primarily Maine residents). The '
'breach occurred between August 9–12, 2025, before Oracle '
'released patches in October 2025. Cl0p claimed responsibility '
'and published the stolen data on its dark web leak site in '
'November 2025. The incident is part of a broader campaign '
'targeting universities and corporations using Oracle EBS, '
'including Harvard, Southern Illinois University, Tulane, Cox '
'Enterprises, Canon, and Mazda.',
'impact': {'brand_reputation_impact': 'Significant reputational damage due to '
'exposure of sensitive PII and public '
'leak of 226GB data',
'data_compromised': ['Social Security Numbers (SSNs)',
'Bank Account Information (Routing Numbers)',
'Personal Names',
'Other Personally Identifiable Information '
'(PII)'],
'identity_theft_risk': 'High (SSNs and banking details exposed)',
'legal_liabilities': 'Potential lawsuits or regulatory fines '
'(e.g., under state data breach laws)',
'operational_impact': 'Forensic investigation, regulatory '
'notifications, and incident response '
'efforts',
'payment_information_risk': 'High (bank account and routing '
'numbers compromised)',
'systems_affected': ['Oracle E-Business Suite (EBS)']},
'initial_access_broker': {'data_sold_on_dark_web': '226GB published on Cl0p’s '
'leak site (November 2025)',
'entry_point': 'Oracle E-Business Suite (EBS) via '
'CVE-2025-61884 (remote exploitation '
'without authentication)',
'high_value_targets': ['Financial data (bank '
'accounts)',
'HR data (SSNs)',
'Student/faculty PII']},
'investigation_status': 'Completed (forensic analysis finalized; extent of '
'data theft confirmed)',
'lessons_learned': ['Critical importance of patching zero-day vulnerabilities '
'promptly, especially in enterprise systems like Oracle '
'EBS.',
'Need for proactive monitoring of ERP systems for '
'unauthorized access.',
'Risks of delayed incident detection (breach occurred in '
'August, detected in October).',
'Cl0p’s shift to targeting ERP systems highlights the '
'need for specialized security measures for high-value '
'data repositories.'],
'motivation': ['Financial Gain (Ransom Extortion)',
'Data Theft for Dark Web Sales',
'Reputation Damage'],
'post_incident_analysis': {'corrective_actions': ['Accelerated patch '
'management for enterprise '
'systems.',
'Implementation of MFA for '
'all EBS administrative '
'accounts.',
'Enhanced logging and '
'monitoring of EBS database '
'access.',
'Network segmentation to '
'limit lateral movement.',
'Incident response plan '
'updates to include '
'ERP-specific protocols.'],
'root_causes': ['Delayed patching of critical '
'zero-day vulnerability '
'(CVE-2025-61884).',
'Insufficient monitoring of EBS '
'access logs for unauthorized '
'activity.',
'Lack of MFA for administrative '
'access to EBS.',
'Overly permissive user account '
'privileges.']},
'ransomware': {'data_exfiltration': '226GB',
'ransom_paid': 'No (data leaked after refusal)',
'ransomware_strain': 'Cl0p'},
'recommendations': [{'immediate': ['Apply Oracle’s CVE-2025-61884 patches '
'immediately.',
'Conduct forensic analysis of EBS access '
'logs (August–October 2025).',
'Review and disable unnecessary user '
'accounts.',
'Enable MFA for all EBS administrative '
'access.',
'Implement enhanced monitoring of EBS '
'database activity.']},
{'long_term': ['Regular vulnerability assessments and '
'penetration testing for ERP systems.',
'Network segmentation to isolate EBS from '
'general networks.',
'Deploy intrusion detection/prevention '
'systems (IDS/IPS).',
'Use data loss prevention (DLP) tools to '
'monitor sensitive data exfiltration.',
'Develop an incident response plan '
'specifically for ERP system compromises.',
'Provide identity theft protection '
'services to affected individuals.']}],
'references': [{'date_accessed': '2025-11-15',
'source': 'SecurityWeek',
'url': 'https://www.securityweek.com'},
{'date_accessed': '2025-11-01',
'source': 'Dartmouth College Data Breach Notification (Maine '
'AG)'},
{'date_accessed': '2025-10-15',
'source': 'Oracle Security Advisory for CVE-2025-61884',
'url': 'https://www.oracle.com/security-alerts'}],
'regulatory_compliance': {'regulations_violated': ['State data breach '
'notification laws (e.g., '
'Maine)',
'Potential FERPA (for '
'student records)',
'Potential GLBA (for '
'financial data)'],
'regulatory_notifications': ['Maine Attorney '
'General’s Office',
'Other state '
'regulators (likely)']},
'response': {'communication_strategy': ['Notification to state regulators '
'(Maine Attorney General)',
'Notification to affected '
'individuals'],
'containment_measures': ['Forensic analysis of EBS access logs',
'Review of user access permissions',
'Disabling unnecessary accounts'],
'enhanced_monitoring': 'Implemented for EBS database access',
'incident_response_plan_activated': 'Yes (internal investigation '
'launched in October 2025)',
'network_segmentation': 'Recommended as a long-term measure',
'remediation_measures': ['Application of Oracle patches '
'(CVE-2025-61884)',
'Enhanced monitoring of EBS database '
'access',
'Multi-factor authentication (MFA) for '
'administrative access']},
'stakeholder_advisories': ['State regulators (e.g., Maine Attorney General)',
'Affected individuals (students, faculty, staff)'],
'threat_actor': 'Cl0p Ransomware Gang (TA505)',
'title': 'Dartmouth College Oracle E-Business Suite Data Breach by Cl0p '
'Ransomware Gang',
'type': ['Data Breach', 'Ransomware Attack', 'Unauthorized Access'],
'vulnerability_exploited': 'CVE-2025-61884 (Oracle E-Business Suite Zero-Day)'}