Harvard University has emerged as the first confirmed victim in a widespread cyberattack campaign targeting users of Oracle’s E-Business Suite (EBS) platform.

The university appeared on the Cl0p ransomware group’s leak site on October 12, initially listed by name. The attackers have since released a link claiming to host over 1.3 terabytes of data allegedly stolen from Harvard, though the authenticity of the files has not yet been verified by SecurityWeek.

In an official statement, Harvard acknowledged that it was affected by the Oracle EBS exploitation. The institution stated that while the investigation is still ongoing, the breach appears to involve only “a limited number of parties connected to a small administrative unit.”

Harvard also confirmed that the vulnerability used in the attack has been patched, and there is currently no indication that other systems were compromised.

According to Google’s Threat Intelligence Group (GTIG) and Mandiant, dozens of organizations worldwide have been impacted by this campaign. The stolen data likely varies in sensitivity, as Oracle’s EBS systems often store financial, HR, supplier, and inventory information.

The attackers reportedly sent extortion emails to executives of the targeted companies under the Cl0p ransomware brand — a name associated with previous high-profile breaches affecting users of Cleo, MOVEit, Fortra, and Accellion products.

Although the Oracle EBS campaign has not been officially linked to a particular actor, GTIG and Mandiant have found strong connections to FIN11, a financially motivated cybercrime group that has previously worked alongside Cl0p.

Security researchers suggest the campaign leveraged both known and zero-day vulnerabilities, along with sophisticated malware. CrowdStrike reported that exploitation activity began around August 9, though Google’s findings indicate that the first signs of intrusion may date back to July 10.