Harvard University experienced a data breach in September 2025, where an unauthorized third party exploited a zero-day vulnerability in Oracle’s EBusiness Suite to launch a cyber attack. The breach compromised the names, Social Security numbers, and addresses of 41 Massachusetts residents. The ransomware group Clop (Cl0p) claimed responsibility, stating it was part of a broader campaign targeting multiple organizations using the same vulnerable Oracle software. While Harvard has not confirmed whether a ransom was paid, the incident exposed sensitive personal data, prompting the university to offer 24 months of free credit monitoring to affected individuals. The attack leveraged a previously unknown flaw in Oracle’s system, which was only patched after the breach occurred. Clop, known for exploiting zero-day vulnerabilities, often demands ransoms in exchange for not leaking stolen data rather than encrypting files. The breach underscores the growing threat of ransomware in the education sector, where institutions face operational disruptions, data theft, and prolonged recovery periods.
TPRM report: https://www.rankiteo.com/company/harvard-university-vpal
"id": "har5902759110625",
"linkid": "harvard-university-vpal",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '41 Massachusetts residents',
'industry': 'higher education',
'location': 'Cambridge, Massachusetts, USA',
'name': 'Harvard University',
'size': '~25,000 students, ~20,000 faculty/staff, '
'~400,000 alumni, 35M online learners',
'type': 'educational institution'},
{'location': 'Australia',
'name': 'Ansell Limited',
'type': 'corporation'},
{'industry': 'higher education',
'location': 'South Africa',
'name': 'University of the Witwatersrand (Wits '
'University)',
'type': 'educational institution'},
{'industry': 'aviation',
'location': 'USA',
'name': 'Envoy Air Inc',
'type': 'airline'}],
'attack_vector': 'exploitation of zero-day vulnerability in Oracle EBusiness '
'Suite web application',
'customer_advisories': 'Victims notified via letter; enrollment deadline for '
'credit monitoring: 2026-01-30',
'data_breach': {'data_exfiltration': 'yes',
'number_of_records_exposed': '41',
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'addresses'],
'sensitivity_of_data': 'high (includes Social Security '
'numbers)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)']},
'date_detected': '2025-09-29',
'description': 'Harvard University notified 41 Massachusetts residents of a '
'September 2025 data breach that compromised their names, '
'Social Security numbers, and addresses. An unauthorized third '
'party exploited a zero-day vulnerability in Oracle EBusiness '
'Suite software to launch a cyber attack and steal data. '
'Ransomware group Clop (Cl0p) took credit for the breach, '
'which was part of a larger wave of attacks targeting the same '
'Oracle vulnerability. Harvard has not confirmed whether a '
'ransom was paid or demanded.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'data breach affecting 41 individuals',
'data_compromised': ['names',
'Social Security numbers',
'addresses'],
'identity_theft_risk': 'high (SSNs and personal data exposed)',
'systems_affected': ['Oracle EBusiness Suite web application']},
'initial_access_broker': {'entry_point': 'zero-day vulnerability in Oracle '
'EBusiness Suite web application',
'high_value_targets': ['Harvard University',
'Ansell Limited',
'University of the '
'Witwatersrand',
'Envoy Air Inc']},
'investigation_status': 'ongoing (Harvard has not verified Clop’s claim or '
'disclosed ransom details)',
'motivation': 'financial gain (ransom demand for stolen data)',
'post_incident_analysis': {'root_causes': 'exploitation of unpatched zero-day '
'vulnerability in Oracle EBusiness '
'Suite (patch released by Oracle '
'only after the attack)'},
'ransomware': {'data_exfiltration': 'yes', 'ransomware_strain': 'Clop (Cl0p)'},
'references': [{'source': 'Comparitech'},
{'source': 'Harvard University Breach Notice (PDF)'},
{'source': 'Massachusetts Attorney General Report'}],
'regulatory_compliance': {'regulatory_notifications': ['Massachusetts '
'Attorney General (as '
'per state breach '
'notification laws)']},
'response': {'communication_strategy': 'victim notification via letter (PDF) '
'and 24 months of free credit '
'monitoring through Experian '
'(enrollment deadline: 2026-01-30)',
'incident_response_plan_activated': 'yes (notification to '
'victims and credit '
'monitoring offered)',
'third_party_assistance': ['Experian (credit monitoring '
'services)']},
'stakeholder_advisories': '24 months of free credit monitoring offered to '
'victims via Experian',
'threat_actor': 'Clop (Cl0p) ransomware group',
'title': 'Harvard University Data Breach (September 2025)',
'type': ['data breach', 'ransomware attack'],
'vulnerability_exploited': 'zero-day vulnerability in Oracle EBusiness Suite'}