Harvard University is investigating a data breach after the notorious Clop ransomware gang listed the school on its data leak site. The group claims to have stolen data by exploiting a recently disclosed zero-day vulnerability in Oracle’s E-Business Suite servers. A Harvard University Information Technology spokesperson told BleepingComputer that they are aware of the reports and that the issue has impacted many other Oracle E-Business Suite customers, not just the university. The spokesperson added that while the investigation is ongoing, they believe the incident affects a limited number of people within a small administrative unit.
The Clop extortion gang, known for its large-scale data theft campaigns, added Harvard to its data leak site, threatening to release the university’s data publicly if a ransom is not paid. This action came after Mandiant and Google began tracking a new extortion campaign where numerous companies received emails from Clop warning them that sensitive data had been stolen from their Oracle E-Business Suite systems. The group confirmed to BleepingComputer that they were behind the emails and that a new Oracle flaw was exploited in the attacks.
The gang even taunted Oracle, stating, “Soon all will become obvious that Oracle bugged up their core product and once again, the task is on clop to save the day.” Soon after this statement, Oracle confirmed a new zero-day vulnerability, tracked as CVE-2025-61882, had been found in the software and issued an emergency update. Harvard has since applied the patch to remediate the vulnerability and continues to monitor its systems, with no evidence of compromise to other university systems.
Clop has a long history of exploiting zero-day vulnerabilities in massive data theft attacks. Their past campaigns include exploiting flaws in Accellion FTA in 2020, SolarWinds Serv-U FTP software in 2021, and both GoAnywhere MFT and MOVEit Transfer in 2023. The MOVEit campaign was their most extensive to date, allowing data theft from 2,773 organizations worldwide. More recently, in 2024, they exploited two zero-days in Cleo file transfer software to steal and extort companies.
While Harvard is the first organization to be publicly linked to these specific Oracle E-Business Suite attacks, it is likely that more will be identified in the coming days and weeks. The pattern of Clop’s past operations suggests that the group targets a large number of victims simultaneously by exploiting a single widespread software flaw, and Harvard’s case is likely just the beginning.
Reference:
