Harvard University notified 41 Massachusetts residents of a September 2025 data breach that compromised their names, Social Security numbers, and addresses, according to the latest report from the state’s attorney general.
Harvard said an unauthorized third party exploited a zero-day vulnerability in Oracle software to launch a cyber attack and steal data.
Ransomware group Clop (“Cl0p”) took credit for the breach. Clop claimed responsibility for a recent spate of data breaches that exploited the same vulnerability.
Harvard University has not verified Clop’s claim. Harvard has not disclosed whether it paid a ransom or how much Clop demanded. Comparitech contacted Harvard for comment and will update this article if it replies.
“On September 29, 2025, Harvard University (We or the University) became aware of a third party claiming to have accessed certain University data without authorization,” says Harvard’s notice (PDF) to victims.
“[…] it appears that the unauthorized third party exploited a vulnerability in an Oracle EBusiness Suite web application to carry out a large wave of attacks against a number of victims, including the University. Oracle only released an update to the application to address the vulnerability after the cyberattack that impacted the University.”
Harvard is offering victims 24 months of free credit monitoring through Experian. The deadline to enroll is January 30, 2026.
Who is Cl0p?
Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. It specializes in exploiting zero-day software vulnerabilities, most recently in Oracle’s EBusiness Suite and the Cleo file transfer software. Cl0p targets any organization using the vulnerable software. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it demands ransoms solely in exchange for not selling or publishing stolen data.
In addition to Harvard, Cl0p recently took credit for attacks on three other organizations that all cited the Oracle zero-day in their breach reports:
- Ansell Limited, Australia
- University of the Witwatersrand (Wits University), South Africa
- Envoy Air Inc, USA
Ransomware attacks on US education
In 2025 to date, Comparitech researchers have logged 39 confirmed ransomware attacks against US school, colleges, and other educational institutions.
We recorded three such attacks last month:
- Halifax County Public Schools (VA) reported a breach claimed by Qilin
- Kearney Public Schools (NE) says it refused to pay a ransom following a breach claimed by Interlock
- North Stonington Public Schools (CT) reported a breach claimed by Interlock
Last month, the Institute of Culinary Education confirmed it notified 33,342 people of an attack claimed by Payouts King in May 2025.
Ransomware attacks on schools and colleges can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, assignments, and more. Ransomware attacks are often two-pronged: they lock down computer systems and steal data. Schools that refuse to pay a ransom face extended downtime, data loss, and putting students and faculty at increased risk of fraud.
The education sector takes longer than any other to notify victims of data breaches: 4.8 months on average.
About Harvard University
Harvard University is a private Ivy-League research university in Cambridge, Massachusetts. It enrolls about 25,000 students, employs more than 20,000 facutly and staff, boasts more than 400,000 alumni worldwide, and has 35 million online learners, according to its website.
