According to Forbes, Dartmouth College confirmed a cyberattack from August 9-12 that compromised the personal data of over 40,000 people, including Social Security numbers and bank account details. The Cl0p ransomware gang exploited a previously unknown, critical vulnerability in Oracle’s E-Business Suite, tracked as CVE-2025-61882. Security firms CrowdStrike and Google Threat Intelligence attribute the widespread campaign to Cl0p, which hit over 100 organizations before Oracle issued a patch on October 4. The breach primarily affected 31,742 New Hampshire and 12,701 Vermont residents, with Dartmouth filing notices in several other states. College officials stress this was not due to any phishing or internal failure, but a flaw in the trusted Oracle software itself.
The Cl0p Playbook Is Ruthlessly Effective
Here’s the thing about Cl0p: they’re not spray-and-pray hackers. They’re surgical, patient, and they have a devastatingly simple business model. Find a single, critical flaw in massively popular enterprise software—like Progress Software’s MOVEit tool in 2023 or now Oracle’s E-Business Suite—and then hammer every user of that software before a fix exists. Researchers at Cybereason note they do “extensive reconnaissance, custom code development, CVE attack chaining and coordinates mass scale victimization.” Basically, they weaponize supply chain trust. And it pays. Coveware estimated they made about $75 million from the MOVEit campaign alone. This Oracle rampage is just the latest iteration.
Why This Breach Is A Textbook Nightmare
This is the definition of a no-win scenario for an organization like Dartmouth. The FBI’s Assistant Director called it a “stop what you’re doing and patch immediately” flaw. But how do you patch a hole you don’t know is there? You can have the best firewalls, the most diligent employees, and perfect cybersecurity training, and it means absolutely nothing when the attack comes through a hidden door in the software you bought. The vulnerability had a CVSS score of 9.8 out of 10. That’s as bad as it gets. Google confirmed Cl0p was exploiting it as a zero-day in early August, with suspicious activity back in July. Oracle didn’t even know until weeks after Dartmouth was hit. The lag time between exploit and patch is where these gangs live and profit.
You Can’t Stop It, Only Respond Better
So what’s the solution? Vermont Attorney General Charity Clark pointed to stronger data privacy laws. That might help minimize harm after the fact, but it doesn’t prevent the initial breach. The uncomfortable truth is that complete protection is impossible in a world of complex software dependencies. What matters is response. How fast do you patch once a fix is available? (Oracle took nearly two months). How well do you monitor for signs of intrusion? And crucially, how do you support the victims? Dartmouth is offering a year of credit monitoring, which is standard, but as the notice says, Social Security numbers don’t expire. Their value to criminals is forever. If you got a letter, enroll in the monitoring, set up fraud alerts, and watch your accounts like a hawk for the next two years.
The Bigger Picture: It’s Not Just Dartmouth
Look, Dartmouth is just one high-profile name on a very long list. Cl0p’s leak site also listed Harvard, the University of Pennsylvania, The Washington Post, Logitech, and American Airlines’ Envoy Air. CrowdStrike’s analysis indicates over 100 organizations worldwide were caught in this net. This is an industrial-scale attack on the very backbone of institutional operations—the software that runs payroll, procurement, and HR. It exposes a fundamental tension: we demand that complex organizations run complex software to function, but that complexity inherently creates risk. The next zero-day is already out there, in some other piece of critical infrastructure, waiting to be found. Not by the good guys, but by someone like Cl0p. And then the whole brutal cycle starts again.
