The personal information of over 40,000 people, including Social Security numbers and bank account information, was compromised in an August cyberattack on Dartmouth’s Oracle E-Business Suite software, according to data breach notices filed by the College with state attorneys general in New Hampshire, Vermont and Maine on Nov. 24, 2025.
Russian ransomware group Clop claimed responsibility for the attack on its website, located on the dark web, where the stolen data associated with multiple victims were posted. The incident was a “zero-day attack” — meaning it exploited a vulnerability that was unknown to Oracle.
In letters mailed to victims of the cyberattack—the vast majority of whom were New Hampshire residents—the College wrote that after discovering the data breach it “immediately took measures to secure the environment, notified law enforcement and launched an investigation.”
“To help prevent something like this from happening again, we implemented all publicly available patches provided following the incident for the Oracle EBS software and will
continue to vet our vendors’ data security practices,” the letter said.
In an email statement to The Dartmouth, College spokesperson Jana Barnello wrote that an investigation into the data breach was “ongoing.”
“Dartmouth is reviewing the data involved and will notify and offer support to individuals whose data was included in this incident in accordance with applicable law,” Barnello wrote.
Interim Chief Information Officer Tom DeChiaro wrote that “we recognize the concern this incident may cause” in an email to campus on Dec. 16, 2025.
“We encourage everyone who received a letter to take advantage of the complimentary credit monitoring and identity theft protection services offered,” DeChiaro wrote.
The cyberattack took place over three days from Aug. 9 to Aug. 12, 2025 as part of an international campaign by Clop. The attacks, which exploited a vulnerability in Oracle’s E-Business Suite enterprise software, have hit over 100 organizations worldwide, including Harvard University and the University of Pennsylvania.
Computer science professor Sami Saydjari, whose research centers on cybersecurity engineering, said that institutions should begin implementing “more general” intrusion detection software that can detect anomalies before attacks occur.
“Some people say, ‘Well, you can’t ever see a zero-day attack because it’s never been seen before,’” Saydjari said. “And that’s true for intrusion detection systems that look for signatures of known attacks, but there are more advanced intrusion detection systems that can see activity that is anomalous and suspicious.”
Saydjari added that institutions should be “transparent” about security breaches.
“They need to study them — sort of like [how] the National Transportation Safety Board studies aviation accidents to learn as much as possible so that we can make aviation safer,” Saydjari said. “I think that these institutions need to deeply study these attacks [and] why they happened.”
In an interview with The Dartmouth, Vermont attorney general Charity Clark said that state policymakers should “strengthen” data privacy laws.
“This is a tremendous moment in history to be an advocate for data privacy,” Clark said.
Clark said that data privacy legislation was “good for people and good for the economy.”
“Our marketplace will suffer if consumers don’t feel safe sharing their bank account number,” Clark said. “They’re not going to buy things online … it’s going to have a chilling effect.”
Clark added that individuals should be “vigilant” in protecting their own data.
“There’s a kind of outdated trust in institutions that [are] asking you for information,” Clark said. “What we have seen is very legitimate companies and businesses experiencing data breaches.”
Federal Bureau of Investigation assistant director Brett Leatherman wrote that attackers “have every incentive to weaponize” enterprise software vulnerabilities in a LinkedIn post about the data breach.
“The race is on before others identify and target vulnerable systems,” Leatherman wrote.
