This story was originally produced by the Valley News. NHPR is republishing it in partnership with the Granite State News Collaborative.
More than 40,000 people in New Hampshire and Vermont may have been impacted by a data breach in a system used by Dartmouth College.
Last week, Dartmouth started mailing letters to the people whose personal information was included in data stolen over three days in early August.
During that time, an “unauthorized actor” was able to access Dartmouth College files and take data, including “one or more” files that had personal information such as names, Social Security numbers and financial account information, according to reports Dartmouth filed with the offices of the attorneys general of New Hampshire and Vermont last week.
The breach was part of a widespread attack on the Oracle eBusiness Suite, a platform Dartmouth and many other companies use to manage operations. A ransomware group has been taking credit for the attack and it has identified more than 100 companies impacted by the breach, according to reporting from SecurityWeek.
“This incident was not the result of any ‘phishing’ attack on a member of the Dartmouth community or any other action or inaction on Dartmouth’s part,” college spokesperson Jana Barnello said.
After Oracle reported the security breach in early October, Dartmouth launched an investigation “as quickly as possible” to identify the impacted data and respond, Barnello said Monday.
It “took time” to review all of the files and identify the people whose information was exposed, Barnello said of the gap between when the Oracle breach was announced and when Dartmouth reported it.
The college reviewed the leaked files and identified that “one or more” contained personal information such as Social Security numbers on Oct. 30, according to the filings.
In response to the breach, Dartmouth implemented “all publicly available patches” for the program to shore up any issues, per Oracle’s recommendations, and set up a phone line for impacted people.
The letters sent to victims describe the incident and Dartmouth’s response and include access to a one-year subscription to Experian IdentityWorks, a personal security program that helps to prevent identify theft.
Dartmouth reported the data breach last week to the attorney general’s offices of New Hampshire and Vermont. The incident “involves” 31,742 New Hampshire residents, an attorney for the college reported in the filings for New Hampshire.
The breach impacted 12,701 Vermonters, Amelia Vath, senior advisor to the Vermont Attorney General, said Monday.
Dartmouth College filed similar reports in other states including Maine, California and Texas.
The only other data breach Dartmouth College has reported to the New Hampshire attorney general since 2006 was in 2012 when a laptop including personal information for four people was stolen, according to an online database.