TL;DR: The Russian ransomware group Clop exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite to breach over 100 organizations worldwide. Harvard, Dartmouth, Princeton, Columbia, Penn, and the University of Phoenix are confirmed victims. At Dartmouth alone, attackers stole 226GB of data including Social Security numbers, bank accounts, and birth dates for 40,000+ people. If you've ever been a student or employee at these institutions, your data may be on the dark web. Breach notifications are going out now.

What Happened

Between August 9-12, 2025, the Clop ransomware gang, a Russian-speaking cybercrime operation, launched a coordinated attack against organizations using Oracle's E-Business Suite (EBS) enterprise software [1].

The weapon: CVE-2025-61882, a zero-day vulnerability carrying a severity score of 9.8 out of 10. That's about as bad as security flaws get [2].

Over three days, Clop silently infiltrated systems, exfiltrated data, and vanished. Organizations didn't discover the breach until months later. Notifications started going out in November 2025. Some are still rolling in now [1].

Which Universities Got Hit

Higher education got hammered. Confirmed victims include [2][3][4]:

Ivy League

  • Harvard University
  • Dartmouth College
  • Princeton University
  • Columbia University
  • University of Pennsylvania

Other Major Schools

  • University of Phoenix
  • Southern Illinois University
  • Tulane University

Dartmouth: A Case Study in Catastrophe

Dartmouth's breach disclosure provides the clearest picture of what Clop stole [1]:

  • People affected: Over 44,000 individuals
  • Data volume: 226 gigabytes
  • Attack window: August 9-12, 2025

What was stolen:

  • Social Security numbers
  • Birth dates
  • Bank account information
  • Financial account details
  • Personal identifying information

Dartmouth CIO Tom DeChiaro encouraged "everyone who received a letter to take advantage of the complimentary credit monitoring and identity theft protection services offered" [1].

That's cold comfort when your SSN is circulating on Russian hacking forums.

It's Not Just Universities

Clop didn't discriminate. Over 100 organizations across multiple industries were compromised [2]:

  • Media: Washington Post
  • Aviation: American Airlines/Envoy Air, Korean Air
  • Technology: Logitech, Canon, GlobalLogic
  • Automotive: Mazda
  • Telecom: Cox Enterprises

Korean Air confirmed 30,000 employees were affected by their breach [5]. The Washington Post, Canon, and Logitech have acknowledged being targeted but haven't disclosed full impact numbers.

How the Attack Worked

This wasn't a phishing attack or an employee clicking a bad link. Clop found a critical flaw in Oracle's E-Business Suite, software used by thousands of organizations for financial management, HR, and supply chain operations [2].

The vulnerability (CVE-2025-61882) allowed attackers to bypass authentication entirely. No passwords needed. No social engineering required. Just a direct path into corporate systems.

Oracle released patches after the attacks were discovered. But by then, Clop had already harvested months' worth of data from organizations that trusted Oracle's enterprise software [2].

This is supply chain security at its worst. You can do everything right (strong passwords, security training, endpoint protection) and still get compromised because a vendor you depend on had a critical flaw.

Clop's Resume of Destruction

This isn't Clop's first mass-exploitation campaign. The group has a pattern: find a zero-day in widely-used enterprise software, exploit it at scale, then extort victims with stolen data [6].

Previous Clop campaigns targeted:

  • MOVEit Transfer (2023): Over 2,000 organizations breached, affecting 60+ million individuals
  • GoAnywhere MFT (2023): 130+ organizations compromised
  • Accellion FTA (2021): Multiple major corporations and universities hit

Same playbook, different software. And it keeps working.

What This Means for You

If you've been a student, employee, or affiliated with any affected organization, even years ago, your data could be compromised. University HR systems often retain records for decades.

SSNs don't expire. Birth dates don't change. Bank account numbers might, but the damage from identity theft can follow you for years.

Clop typically posts stolen data on their dark web leak site if victims don't pay ransom. Some universities have policies against paying. That means your data may already be publicly available to anyone who knows where to look.

What You Can Do

Freeze Your Credit

Contact all three bureaus (Equifax, Experian, TransUnion) and freeze your credit immediately. This prevents anyone from opening new accounts in your name. It's free and takes 15 minutes.

Monitor Your Accounts

Check your bank and credit card statements weekly. Set up transaction alerts. Any unfamiliar charge, no matter how small, could signal identity theft.

Accept Free Monitoring

If you received a breach notification, enroll in the free credit monitoring offered. It's not perfect, but it's an additional layer of detection.

File an IRS Identity Protection PIN

Request an IP PIN from the IRS. This prevents anyone from filing a fraudulent tax return using your SSN. Do this before tax season.

Long-Term Protection

  • Consider identity theft protection: Services like Aura, LifeLock, or IdentityForce provide ongoing monitoring beyond the free year offered by breached companies.
  • Check HaveIBeenPwned: Enter your email at haveibeenpwned.com to see if it appears in known breaches. Sign up for alerts.
  • Use unique passwords everywhere: If your credentials were exposed, attackers will try them on every service. A password manager makes this manageable.
  • Enable MFA on everything: Multi-factor authentication stops most credential-based attacks even if your password leaks.

References

  1. The Dartmouth - More than 40,000 hit by Dartmouth data breach (January 2026)
  2. SecurityWeek - Nearly 30 Alleged Victims of Oracle EBS Hack Named on Cl0p Ransomware Site
  3. CyberScoop - University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks
  4. The Record - At least 35,000 impacted by Dartmouth College breach through Oracle EBS campaign
  5. CPO Magazine - Korean Air Data Breach by Clop Ransomware Impacts 30,000 Employees
  6. BlackFog - Clop's New Extortion Wave Hits Oracle E-Business Suite