Dartmouth College, a private Ivy League research university, suffered a data breach during a three-day window from August 9 to August 12, 2025 when the Cl0p ransomware gang (also known as TA505) exploited a zero-day vulnerability in Oracle's E-Business Suite software (CVE-2025-61882) to access Dartmouth's enterprise resource planning system and exfiltrate files containing personal information. Oracle disclosed the underlying vulnerability and released security patches in early October 2025. Dartmouth subsequently launched an internal investigation, identified the impacted data on October 30, 2025, and began notifying affected individuals through letters mailed in late November 2025 with state attorney general filings on November 24, 2025. Cl0p formally claimed responsibility for the Dartmouth breach on its dark-web data leak site on November 11, 2025, with the attackers leaking approximately 226 gigabytes of stolen Dartmouth data after Dartmouth declined to pay ransom.

The breach affected approximately 35,000 to 40,000 individuals based on combined state attorney general filings (with DataBreach.com reporting approximately 163,306 rows of data, reflecting the underlying file content rather than the count of affected individuals). Compromised fields included full names, Social Security numbers, financial account information including bank account details, email addresses, phone numbers, and ZIP codes. The affected population included current and former Dartmouth students (including student-employees), faculty, staff, and other individuals whose information was processed through Dartmouth's Oracle E-Business Suite platform. The exposure of SSN combined with bank account information represents an exceptionally high-risk data combination because it directly enables both identity theft and ACH-fraud (unauthorized direct withdrawal from compromised bank accounts).

For affected individuals, the practical risk profile is exceptionally severe due to the combination of SSN exposure with bank account data. Affected individuals should enroll in the complimentary Experian credit monitoring and identity theft protection services offered by Dartmouth before the February 28, 2026 enrollment deadline. Affected individuals should also consider placing a credit freeze with all three credit bureaus (Equifax, Experian, and TransUnion), which is more protective than credit monitoring alone because it prevents new accounts from being opened in the affected individual's name. The SSN exposure at a university is distinctively concerning because students often do not actively monitor their credit during their studies (because they have no mortgage, car loan, or other large account that would trigger credit-bureau alerts), making student-victim populations especially vulnerable to silent identity-fraud accumulation that may not be apparent until after graduation. Affected individuals should monitor their bank accounts daily for unauthorized ACH withdrawals, request replacement bank account numbers from their financial institution if any unusual activity is detected, and remain alert to phishing or impersonation attempts referencing real Dartmouth-association details. Class-action litigation is available for affected individuals seeking compensation. Affected individuals may also file complaints with state attorneys general in New Hampshire, Vermont, Maine, Texas, or other applicable states.

Universities collect student, staff, faculty, alumni, applicant, donor, and research-linked identity, contact, financial, academic, and employment records across education and administration systems.

Dartmouth disclosed the breach to affected individuals through letters mailed in late November 2025 and through state attorney general filings in New Hampshire (31,742 residents), Vermont (more than 12,700 residents), Maine (at least 1,494 residents), and Texas. Interim Chief Information Officer Tom DeChiaro circulated a campus-wide email on December 16, 2025 acknowledging the incident and encouraging affected individuals to enroll in the complimentary Experian credit monitoring and identity theft protection services offered by the institution (with an enrollment deadline of February 28, 2026). Dartmouth has emphasized that the breach was the result of a zero-day vulnerability in Oracle's E-Business Suite software (CVE-2025-61882) rather than a phishing attack or other action by Dartmouth personnel, and that Dartmouth has implemented all available Oracle security patches and established a hotline for affected individuals. The case is part of the broader Cl0p ransomware gang campaign that has compromised more than 100 organizations globally including Harvard University, the University of Pennsylvania, and Cox Enterprises.