Harvard University is investigating a data breach after the Russian-speaking cybercrime group Clop exploited a vulnerability in the Oracle E-Business Suite (versions 12.2.3–12.2.14). The breach, part of a broader attack targeting over 100 organizations, involved unauthorized data exfiltration, though Harvard’s initial probe suggested only a limited number of parties in a small administrative unit were affected. Clop, known for extorting victims by threatening to leak stolen data, publicly claimed responsibility in late September 2023, demanding ransom payments. While Harvard applied patches and found no evidence of wider system compromise, the incident aligns with Clop’s history of high-profile attacks, including the 2023 MoveIt breach (affecting 2,773+ organizations) and a 2019 ransomware attack on Maastricht University. Oracle acknowledged the vulnerability in October, issuing patches after initially downplaying the risk. The stolen data’s nature remains undisclosed, but Clop’s modus operandi suggests potential exposure of sensitive administrative or personal records.
Source: https://www.thecrimson.com/article/2025/10/14/harvard-security-breach-russian-cybercrime-group/
TPRM report: https://www.rankiteo.com/company/harvardcid
"id": "har1402414101425",
"linkid": "harvardcid",
"type": "Cyber Attack",
"date": "6/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Limited number of parties '
'associated with a small '
'administrative unit',
'industry': 'Higher Education',
'location': 'Cambridge, Massachusetts, USA',
'name': 'Harvard University',
'size': 'Large (~20,000+ students, ~16,000+ '
'faculty/staff)',
'type': 'Educational Institution'},
{'name': 'Over 100 unnamed companies (targeted in '
'broader Clop campaign)'}],
'attack_vector': ['Exploitation of Oracle E-Business Suite Vulnerability (CVE '
'unknown)',
'Zero-Day Exploit (initially unpatched)'],
'data_breach': {'data_exfiltration': True},
'date_publicly_disclosed': '2023-09-30',
'description': 'Harvard University is investigating a data breach after the '
'Russian-speaking cybercrime group Clop claimed it was '
'preparing to release information stolen through a '
'vulnerability in the Oracle E-Business Suite software used by '
'the University. The breach is part of a larger attack '
'targeting over 100 companies. Clop, known for extorting '
'payments to prevent data leaks, announced the breach on its '
'leak site. Harvard confirmed a limited impact, affecting only '
'a small administrative unit, and applied patches to address '
'the vulnerability. Oracle acknowledged the flaws and issued '
"updates after Clop's public disclosure in late September "
'2023.',
'impact': {'brand_reputation_impact': 'Potential (public disclosure of breach '
'by a high-profile threat actor)',
'data_compromised': True,
'operational_impact': 'Limited (affected a small administrative '
'unit)',
'systems_affected': ['Oracle E-Business Suite (limited to a small '
'administrative unit at Harvard)']},
'initial_access_broker': {'entry_point': 'Oracle E-Business Suite '
'vulnerability',
'high_value_targets': ['Harvard University (among '
'100+ organizations)'],
'reconnaissance_period': 'Potentially since July '
'2023 (per Google/Mandiant '
'investigation)'},
'investigation_status': 'Ongoing (Harvard IT investigating scope)',
'motivation': ['Financial Gain', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Patch deployment',
'Incident investigation',
'Public disclosure'],
'root_causes': ['Unpatched Oracle E-Business Suite '
'vulnerability',
'Delayed patch application (July '
'2023 update not universally '
'applied)']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'The Harvard Crimson',
'url': 'https://www.thecrimson.com'},
{'source': 'Oracle Security Alert Advisory (October 2023)'},
{'source': 'Google Threat Intelligence Group & Mandiant '
'Investigation'},
{'source': 'Coveware Ransomware Response Firm (MoveIt attack '
'estimates)'}],
'response': {'communication_strategy': ['Public statement by Harvard '
'University Information Technology '
'(HUIT)',
'Media coverage via The Harvard '
'Crimson'],
'containment_measures': ['Applied patches to Oracle E-Business '
'Suite'],
'incident_response_plan_activated': True,
'remediation_measures': ['Vulnerability patching',
'Investigation into scope of breach']},
'stakeholder_advisories': ['Public statement by Tim J. Bailey (Harvard '
'University Information Technology spokesperson)'],
'threat_actor': 'Clop (Russian-speaking cybercrime group)',
'title': 'Harvard University Data Breach via Oracle E-Business Suite '
'Vulnerability',
'type': ['Data Breach', 'Extortion', 'Exploitation of Software Vulnerability'],
'vulnerability_exploited': ['Oracle E-Business Suite (versions 12.2.3 to '
'12.2.14)',
'Unpatched flaw (addressed in July 2023 update, '
'additional vulnerabilities patched in October '
'2023)']}