University of Phoenix breach exposes data of nearly 3.5 million people

A cyberattack tied to an Oracle software flaw led to the theft of sensitive personal and financial information.

What happened

The University of Phoenix confirmed a data breach that affected 3,489,274 individuals after attackers gained unauthorized access to its systems earlier in 2025. According to Fox News, the intrusion was detected on November 21 after the university appeared on a public data leak site. The university disclosed the incident in early December, and its parent company filed a regulatory notice shortly afterward. Notification filings with the Maine Attorney General show that current and former students, faculty, staff, and suppliers were impacted.

Going deeper

The university said the attackers exploited a previously unknown vulnerability in Oracle E-Business Suite, a platform used to manage financial and administrative operations. Security researchers believe the activity aligns with techniques commonly associated with the Clop cybercrime group, which is known for exploiting zero-day flaws to steal data rather than deploy ransomware. Investigators reported that the vulnerability was abused as early as August, allowing attackers to access systems for weeks before detection. The compromised data included names, contact details, dates of birth, Social Security numbers, and banking information, creating long term exposure risks for affected individuals.

What was said

University officials stated that they engaged external cybersecurity firms immediately after discovering the incident and began reviewing affected data sets. The institution said it is providing required notifications to impacted individuals and regulators and is offering identity protection services. The university says that it is continuing to assess the scope of the exposure and has taken steps to prevent further unauthorized access. Representatives also noted that activation of protective services requires a code included in mailed notification letters.

The big picture

The breach at the University of Phoenix reflects a broader campaign tied to the Clop cybercrime group’s exploitation of Oracle E-Business Suite. According to SecurityWeek, Clop has publicly named nearly 30 organizations it claims were affected by the same Oracle EBS activity, after extortion emails were sent to executives at dozens of entities in late September. SecurityWeek reported that “twenty-nine alleged victims of the Oracle EBS hack have been listed on the Cl0p leak website to date,” with several organizations confirming impacts shortly after being named.

SecurityWeek also noted that Clop’s involvement mirrors its role in earlier high-profile data theft campaigns targeting Cleo, MOVEit, and Fortra file transfer products, where the group focused on stealing sensitive data rather than deploying ransomware. That pattern aligns with the University of Phoenix incident, where attackers are believed to have exploited a previously unknown Oracle flaw to quietly extract large volumes of personal and financial information over an extended period before public disclosure.

FAQs

Why was Oracle E-Business Suite a valuable target?

The platform manages financial, payroll, and administrative data, which often includes highly sensitive personal and banking information.

Does this breach involve ransomware encryption?

No. Investigators believe the attackers focused on data theft rather than system disruption, which is consistent with prior Clop campaigns.

Who is most at risk after this incident?

Individuals whose Social Security numbers or banking details were exposed face a higher risk of identity theft, financial fraud, and targeted phishing.

How will affected individuals be notified?

The university stated that notification letters are being sent by postal mail and include details about the exposed data and available protection services.

What steps should impacted individuals take?

They should monitor financial accounts, review credit reports, consider placing fraud alerts, and be cautious of unsolicited messages referencing university records.