Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site, saying the alleged breach was likely caused by a recently disclosed zero-day vulnerability in Oracle's E-Business Suite servers.

"Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system. This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard," a Harvard University Information Technology spokesperson told BleepingComputer.

"While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated with a small administrative unit."

"Upon receiving it from Oracle, we applied a patch to remediate the vulnerability. We are continuing to monitor and have no evidence of compromise to other University systems."

This statement comes after the Clop extortion gang added Harvard to its data leak extortion site, stating that it would soon publicly release the University's data.

Earlier this month, Mandiant and Google began tracking a new extortion campaign where numerous companies began receiving emails stating sensitive data was stolen from their Oracle E-Business Suite systems. 

These emails came from the Clop ransomware operation, which warned that the stolen data would be leaked if a ransom demand was not paid.

While Clop would not share details about the attack, they confirmed to BleepingComputer that they were behind the emails and that a new Oracle flaw was exploited in the data theft attacks.

"Soon all will become obvious that Oracle bugged up their core product and once again, the task is on clop to save the day," the extortion gang told BleepingComputer.

Soon after, Oracle confirmed a new zero-day, tracked as CVE-2025-61882, was found in the software and issued an emergency update.

The Clop extortion gang has a long history of exploiting zero-day flaws in massive data theft attacks, including:

• 2020: Exploiting a zero-day in the Accellion FTA platform, affecting nearly 100 organizations.
• 2021: Exploiting a zero-day in SolarWinds Serv-U FTP software.
• 2023: Exploiting a zero-day in the GoAnywhere MFT platform, breaching over 100 companies.
• 2023: Exploiting a zero-day in MOVEit Transfer was Clop's most extensive campaign to date, where a zero-day exploit allowed data theft from 2,773 organizations worldwide.
• 2024: Exploited two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) to steal data and extort companies.

Harvard is the first organization linked to the Oracle E-Business Suite zero-day attacks, but we will likely see more listed over the coming days and weeks.