Harvard University is investigating a cybersecurity breach after a notorious Russian-speaking ransomware gang, Clop, claimed it stole sensitive data through a flaw in the Oracle E-Business Suite software used by the school.
Quick Summary – TLDR:
- Harvard confirmed a data breach tied to Oracle software, but said it affected only a small administrative unit
- Clop, a cybercrime group, is demanding ransom and threatening to leak the stolen information
- The attack is part of a global campaign targeting more than 100 organizations using Oracle’s E-Business Suite
- Oracle has released multiple emergency patches to fix the exploited vulnerabilities
What Happened?
A Russian-speaking ransomware group known as Clop added Harvard University to its list of victims over the weekend, claiming it accessed confidential data via a critical flaw in Oracle’s widely used E-Business Suite. While Harvard confirmed the incident, it stressed that the breach was limited and there is no indication that core university systems were affected.
🚨 Ransom group “CL0P” lists “Harvard University” on its leak site – United States 🇺🇸
— Ransom-DB (@Ransom_DB) October 11, 2025
📍 Location: Cambridge, Massachusetts, USA
🎓 Industry: Higher Education
🔗 Website: https://t.co/LcAgymk8P9
Harvard University, founded in 1636, is a renowned Ivy League institution offering… pic.twitter.com/JV4Z2XePXB
A Targeted Hit with Global Impact
The breach is part of a much larger international campaign that began as early as July. According to cybersecurity researchers at Google’s Mandiant and Threat Intelligence Group, Clop exploited vulnerabilities in Oracle’s E-Business Suite (EBS), targeting systems that manage key enterprise functions like finance, HR, and supply chain operations.
Clop’s tactics follow a familiar pattern. After stealing data, the group posts victims on its leak site and pressures them into paying large ransoms under the threat of publishing sensitive files. In Harvard’s case, Clop has not yet released any data publicly but has issued a warning suggesting its intention to do so if demands are not met.
Oracle initially addressed the vulnerabilities with a July update but later admitted additional flaws in early October. Two vulnerabilities, now tracked as CVE-2025-61882 and CVE-2025-61884, were found to be involved. Oracle urged all users running EBS versions 12.2.3 through 12.2.14 to apply patches immediately.
Harvard’s Quick Response and Containment
Harvard University Information Technology (HUIT) acted swiftly after learning about the breach. According to spokesperson Tim J. Bailey, a patch was applied to fix the vulnerability as soon as Oracle provided it. Harvard emphasized that the data breach affected only a “limited number of parties associated with a small administrative unit,” and there is currently no evidence that other university systems were compromised.
While specific data types compromised were not disclosed, experts say attackers often provide screenshots and directory listings to prove access. Former FBI Cyber Division Deputy Cynthia Kaiser noted that Clop began contacting victims via email in late September with some ransom demands reaching seven and eight figures.
FBI and Experts Raise Alarms
The FBI and UK cybersecurity officials confirmed the campaign, labeling it a serious threat. FBI Assistant Director Brett Leatherman described CVE-2025-61882 as a “stop-what-you’re-doing and patch immediately” situation. He warned organizations still using Oracle EBS to isolate affected systems and stay alert.
Austin Larsen from Google’s Threat Intelligence Group said that while dozens of organizations have been confirmed as victims, “based on the scale of previous Clop campaigns, it is likely there are over a hundred.”
Clop’s Track Record: Ransom and Ruin
Clop has made headlines before. In 2023, it compromised over 2,700 organizations using the MoveIt file transfer platform, earning an estimated $75 million from ransom payments. In 2019, the gang locked down Maastricht University’s digital systems, demanding and receiving a €200,000 ransom to restore access. More recently, the group exploited Cleo file transfer systems, particularly targeting companies in the consumer goods space.
Harvard’s incident is the latest chapter in Clop’s growing list of high-profile victims, reinforcing the need for timely software patching and robust cybersecurity measures across industries.
SQ Magazine Takeaway
This isn’t just about Harvard. It’s a reminder that even top-tier institutions are vulnerable when relying on widely used software with hidden security holes. Personally, I think this incident highlights a dangerous reality: big-name software systems like Oracle’s EBS are prime targets, and if you’re not updating them the moment patches drop, you’re rolling the dice. The fact that Clop is confidently threatening elite institutions should make every IT admin lose sleep. Stay patched, stay alert, or risk becoming tomorrow’s headline.
