Dartmouth College, located just across the Connecticut River from Vermont in Hanover, New Hampshire, has notified more than 35,000 people that their personal information was stolen in a cyberattack this past summer. The breach affects current and former employees, students, and alumni—including many Vermonters who have worked at, attended, or have other ties to the Ivy League institution.

Here’s what happened, what information was compromised, and what steps affected individuals should take to protect themselves.

What Happened

Between August 9 and August 12, 2025, hackers exploited a previously unknown security flaw—known as a “zero-day vulnerability”—in Oracle E-Business Suite software that Dartmouth uses to manage payroll, human resources, and financial operations. According to the college’s official notification, the attackers gained unauthorized access to the system and downloaded files containing sensitive personal data.

The vulnerability, tracked as CVE-2025-61882, was not publicly known at the time of the attack, meaning Dartmouth had no way to patch the flaw before hackers exploited it. Cybersecurity researchers at CrowdStrike have attributed the attack to a cybercriminal group known as Cl0p, which has targeted numerous organizations worldwide using similar methods.

Who Is Affected

The breach impacts an estimated 35,000 or more individuals, according to The Record. This includes employees, former employees, students, alumni, and others whose information was stored in the Oracle system. Dartmouth filed a breach notification with the Maine Attorney General’s office citing 1,494 Maine residents affected, with separate filings in other states.

Given Dartmouth’s proximity to Vermont—Hanover sits directly on the Vermont border—and the college’s role as a major regional employer and educational institution, a significant number of affected individuals are likely Vermont residents. Anyone who has received a paycheck, tuition refund, or financial aid disbursement from Dartmouth, or who has provided personal information to the college, could potentially be affected.

What Information Was Stolen

According to Dartmouth’s notification letter, the stolen data includes names, Social Security numbers, and financial account information. Because Oracle E-Business Suite handles payroll and financial operations, “financial account information” likely refers to bank account and routing numbers used for direct deposit rather than credit card numbers.

This combination of data elements presents serious identity theft risks. Social Security numbers cannot easily be changed, and compromised banking details can be used for fraudulent transactions, check fraud, or unauthorized withdrawals.

The Timeline

The attack occurred in early August 2025, but affected individuals did not receive notification letters until late November—a gap of nearly four months. Dartmouth states it completed its review of the affected files on October 30, 2025, with letters going out around November 24, 2025.

Oracle released an emergency security patch on October 4, 2025, after security researchers discovered the vulnerability being exploited. This confirms that during the August breach window, no defensive patch existed.

A Broader Attack Campaign

Dartmouth was not the only institution affected. SecurityWeek reports that the Cl0p group targeted multiple organizations using the Oracle vulnerability, including Harvard University, Southern Illinois University, and Tulane University. The attackers reportedly exfiltrated approximately 226 gigabytes of data from Dartmouth alone.

The Cl0p group is known for stealing sensitive data and threatening to publish it unless victims pay a ransom. Security researchers indicate that data from organizations that decline to pay often ends up posted on websites accessible through the dark web.

What Dartmouth Is Doing

In its notification, Dartmouth states it has applied all available security patches to the Oracle software and will continue to review its vendors’ data security practices. The college is offering affected individuals a complimentary one-year membership to Experian IdentityWorks, a credit monitoring service.

The notification also explains how recipients can place fraud alerts or security freezes on their credit files.

What Affected Individuals Should Do

Consider Closing Affected Bank Accounts: If your direct deposit or other financial account was linked to Dartmouth, consider opening a new account. Unlike credit cards, which can simply be canceled and reissued, compromised checking account numbers can be used for fraudulent withdrawals and are difficult to “freeze.”

Place a Credit Freeze: A security freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) prevents anyone from opening new credit accounts in your name. This is free to do and can be lifted temporarily when you need to apply for credit. The Federal Trade Commission provides instructions for placing freezes.

Freeze ChexSystems: ChexSystems is a consumer reporting agency that tracks checking account history. Placing a freeze prevents criminals from opening fraudulent bank accounts in your name.

Request an IRS Identity Protection PIN: With a stolen Social Security number, criminals can file fraudulent tax returns to claim refunds. The IRS offers a six-digit Identity Protection PIN that prevents unauthorized tax filings.

Monitor the Free Credit Monitoring: While the one-year credit monitoring offered by Dartmouth can help detect suspicious activity, it monitors for problems rather than preventing them. The protective steps above provide more robust security.

Legal Investigations

Multiple law firms, including Lynch Carpenter and Strauss Borrelli, have announced investigations into the breach and are exploring potential class action lawsuits on behalf of affected individuals. Those who received breach notifications may be contacted about participating in these legal actions.

What Happens Next

Dartmouth has stated it will continue strengthening its security measures in response to the incident. Affected individuals should expect to receive notification letters if they haven’t already. Those letters will include instructions for enrolling in the free credit monitoring service and an enrollment deadline.

Regulatory authorities in New Hampshire and other states may pursue investigations into the breach timeline and notification practices. Under New Hampshire law, organizations must notify affected individuals “as quickly as possible” after discovering a breach.

For Vermont residents connected to Dartmouth, the most important immediate step is to take protective action now rather than waiting to see if problems arise. Social Security numbers do not expire, meaning stolen data remains valuable to criminals indefinitely. Placing credit freezes and monitoring bank accounts for unauthorized activity are the most effective defenses against identity theft.

Anyone with questions about whether they are affected can contact Dartmouth or the credit monitoring service listed in their notification letter.