More than 40,000 people had personal information compromised in an August cyberattack that targeted Dartmouth College’s Oracle E-Business Suite software, according to data breach notices the College filed with state attorneys general in New Hampshire, Vermont and Maine on Nov. 24, 2025.
The breach matters now because the compromised information includes highly sensitive identifiers such as Social Security numbers and bank account information, and because Dartmouth officials say they are still reviewing what data was involved and notifying affected individuals.
According to the breach notices, a ransomware group known as Clop claimed responsibility for the incident on its website on the dark web, where stolen data associated with multiple victims was posted. The College described the incident as a “zero-day attack,” meaning the attackers exploited a vulnerability that was unknown to Oracle at the time.
In letters mailed to victims, Dartmouth wrote that after discovering the breach it “immediately took measures to secure the environment, notified law enforcement and launched an investigation.” The College also said it has taken steps intended to reduce the risk of a repeat incident.
“To help prevent something like this from happening again, we implemented all publicly available patches provided following the incident for the Oracle EBS software and will continue to vet our vendors’ data security practices,” the letter said.
In an email statement to The Dartmouth, College spokesperson Jana Barnello said the investigation remains “ongoing.”
“Dartmouth is reviewing the data involved and will notify and offer support to individuals whose data was included in this incident in accordance with applicable law,” Barnello wrote.
Dartmouth also urged recipients of notification letters to use support services offered by the College. Interim Chief Information Officer Tom DeChiaro wrote in a Dec. 16, 2025 email to campus that “we recognize the concern this incident may cause.”
“We encourage everyone who received a letter to take advantage of the complimentary credit monitoring and identity theft protection services offered,” DeChiaro wrote.
The cyberattack occurred over three days, from Aug. 9 to Aug. 12, 2025, according to the article. It was part of what the article described as an international campaign by Clop targeting an Oracle E-Business Suite vulnerability. The attacks have affected more than 100 organizations worldwide, the article reported, including Harvard University and the University of Pennsylvania.
Computer science professor Sami Saydjari, whose research centers on cybersecurity engineering, said organizations should consider deploying broader intrusion detection tools that can spot unusual behavior even when an attack method is new.
“Some people say, ‘Well, you can’t ever see a zero-day attack because it’s never been seen before,’” Saydjari said. “And that’s true for intrusion detection systems that look for signatures of known attacks, but there are more advanced intrusion detection systems that can see activity that is anomalous and suspicious.”
Saydjari also said institutions should be open about breaches and study them closely.
“They need to study them, sort of like [how] the National Transportation Safety Board studies aviation accidents to learn as much as possible so that we can make aviation safer,” Saydjari said. “I think that these institutions need to deeply study these attacks [and] why they happened.”
The breach has also drawn attention from state officials who receive breach notifications and oversee consumer protection in their states. In an interview with The Dartmouth, Vermont Attorney General Charity Clark said policymakers should “strengthen” data privacy laws.
“This is a tremendous moment in history to be an advocate for data privacy,” Clark said.
Clark said data privacy legislation benefits both consumers and businesses.
“Our marketplace will suffer if consumers don’t feel safe sharing their bank account number,” Clark said. “They’re not going to buy things online … it’s going to have a chilling effect.”
Clark added that individuals should be “vigilant” about protecting their own information, noting what she described as misplaced confidence that institutions requesting personal data will always be able to keep it safe.
“There’s a kind of outdated trust in institutions that [are] asking you for information,” Clark said. “What we have seen is very legitimate companies and businesses experiencing data breaches.”
Federal law enforcement officials have also warned that vulnerabilities in widely used enterprise software can be quickly exploited. Federal Bureau of Investigation assistant director Brett Leatherman wrote in a LinkedIn post about the breach that attackers “have every incentive to weaponize” such vulnerabilities.
“The race is on before others identify and target vulnerable systems,” Leatherman wrote.
This incident follows previous data security concerns at Dartmouth, as the College continues its investigation and review of the affected data. The College has indicated it will keep notifying and offering support to individuals whose data was included, as required by law.
