Dartmouth College has begun notifying more than 40,000 individuals in the Twin States whose personal information may have been exposed in a cybersecurity breach that occurred in early August. The college began sending letters last week detailing the incident and offering credit monitoring services to affected individuals.
The breach stemmed from a vulnerability in Oracle’s eBusiness Suite, a widely used enterprise resource planning platform. A ransomware group has claimed responsibility for the attack, which reportedly affected over 100 organizations. Dartmouth confirmed that an “unauthorized actor” accessed its systems over a three-day period and downloaded files containing names, Social Security numbers, and financial account information.
In filings submitted last week to the attorneys general of New Hampshire and Vermont, Dartmouth reported that 31,742 New Hampshire residents and 12,701 Vermonters were affected. The college has also filed similar reports in additional states including Maine, California, and Texas, consistent with standard breach notification laws.
Jana Barnello, a spokesperson for Dartmouth, said the intrusion did not result from phishing or user error within the institution. She stressed that the breach was tied to the Oracle software platform and was not due to actions by Dartmouth personnel.
Oracle disclosed the vulnerability in early October, prompting Dartmouth to investigate its internal systems. According to filings, college staff identified on October 30 that some files accessed in the breach contained protected personal information. Dartmouth then implemented all patch updates recommended by Oracle and established a dedicated phone line to assist those impacted.
The notification letters sent to affected individuals include information about the breach and a one-year subscription to Experian IdentityWorks, which offers identity theft protection services.
This breach marks the first cyber incident Dartmouth has reported to New Hampshire regulators since 2012, when a laptop containing information on four individuals was stolen. The current breach involves a significantly larger number of affected individuals and reflects broader vulnerabilities in widely used digital infrastructure.
Dartmouth’s investigation and response remain ongoing as the college continues to assess the full extent of the impact. While no evidence has surfaced suggesting misuse of the compromised data, the college advises recipients of the notice to monitor their financial accounts and take advantage of the offered security tools.
As colleges across the country rely increasingly on third-party platforms to manage their administrative systems, the breach highlights the risks associated with relying on shared digital tools. Dartmouth’s response now focuses on strengthening cybersecurity safeguards and ensuring that those affected by the breach receive appropriate support.
