Dartmouth reported a data breach involving its Oracle eBusiness Suite (EBS) software, where an unauthorized actor exploited a vulnerability to extract sensitive personal identifiable information (PII) from its systems. The incident occurred between August 9–12, 2025, with the breach discovered later during an investigation. Compromised data included names, Social Security numbers, and financial account information of affected individuals. Dartmouth confirmed that the data was accessed and/or acquired by a third party, prompting a review to identify impacted individuals. Notification letters were sent to victims on November 24, 2025, offering 12 months of complimentary credit monitoring as a remedial measure. The breach stemmed from a broader vulnerability in Oracle’s EBS, affecting multiple customers, including Dartmouth. The exposed data poses significant risks of identity theft, financial fraud, and long-term reputational harm to the institution and its stakeholders.
Source: https://straussborrelli.com/2025/11/25/dartmouth-college-data-breach-investigation/
Dartmouth Hitchcock Medical Center and Clinics cybersecurity rating report: https://www.rankiteo.com/company/dartmouthhitchcock
"id": "DAR3010830112625",
"linkid": "dartmouthhitchcock",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Individuals associated with '
'Dartmouth (specific number not '
'disclosed)',
'industry': 'Higher Education',
'location': 'Hanover, New Hampshire, USA',
'name': 'Dartmouth',
'type': 'Educational Institution'}],
'attack_vector': 'Exploitation of vulnerability in Oracle eBusiness Suite '
'(EBS) software',
'customer_advisories': ['Breach notification letters with details of exposed '
'PII and credit monitoring offer'],
'data_breach': {'data_exfiltration': 'Likely (data accessed and/or acquired '
'by unauthorized third party)',
'personally_identifiable_information': ['Name',
'Social Security '
'number',
'Financial account '
'information'],
'sensitivity_of_data': 'High (includes SSNs and financial '
'data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2025-11-24',
'description': 'Dartmouth reported a data breach involving its Oracle '
'eBusiness Suite (EBS) software, where an unauthorized actor '
'exploited a vulnerability to access sensitive personal '
"identifiable information (PII) from Dartmouth's systems "
'between August 9 and August 12, 2025. The compromised data '
'may include names, Social Security numbers, and financial '
'account information. Dartmouth launched an investigation, '
'identified affected individuals, and began mailing breach '
'notification letters on November 24, 2025, offering 12 months '
'of complimentary credit monitoring services to impacted '
'parties.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive PII',
'data_compromised': ['Name',
'Social Security number',
'Financial account information'],
'identity_theft_risk': 'High (due to exposure of SSNs and '
'financial data)',
'payment_information_risk': 'High (financial account information '
'exposed)',
'systems_affected': ['Oracle eBusiness Suite (EBS)']},
'initial_access_broker': {'entry_point': 'Vulnerability in Oracle eBusiness '
'Suite (EBS)',
'high_value_targets': ['Sensitive PII (SSNs, '
'financial data)']},
'investigation_status': 'Completed (scope and impacted individuals '
'identified)',
'post_incident_analysis': {'root_causes': ['Exploitation of vulnerability in '
'third-party software (Oracle '
'EBS)']},
'references': [{'source': 'Attorney General of Maine - Data Breach '
'Notification'}],
'regulatory_compliance': {'regulatory_notifications': ['Notification to the '
'Attorney General of '
'Maine']},
'response': {'communication_strategy': ['Breach notification letters mailed '
'to impacted individuals',
'Filing with the Attorney General of '
'Maine'],
'incident_response_plan_activated': True,
'recovery_measures': ['Notification letters to affected '
'individuals',
'12 months of complimentary credit '
'monitoring services'],
'remediation_measures': ['Investigation to determine scope and '
'impact',
'Review of compromised data']},
'threat_actor': 'Unauthorized third party',
'title': 'Dartmouth Data Breach via Oracle EBS Vulnerability',
'type': 'Data Breach',
'vulnerability_exploited': 'Unspecified vulnerability in Oracle EBS'}