The university is reviewing exposed records and preparing notifications after attackers accessed its financial application environment.
According to BleepingComputer, the University of Phoenix confirmed that attackers exploited a zero-day vulnerability in Oracle E-Business Suite to access personal and financial data belonging to students, staff, faculty, and suppliers. The intrusion was detected on November 21 after the Clop group added the university to its leak site. Exposed data includes names, contact information, dates of birth, Social Security numbers, and banking details. The university’s parent company also filed an 8-K with the Securities and Exchange Commission describing the event and its ongoing review of impacted records.
The breach aligns with a broader campaign in which attackers targeted Oracle E-Business Suite financial environments across higher education and private industry. Investigators believe the zero-day allowed remote access to internal systems where sensitive files were stored. Once the compromise was identified, the university restricted affected systems and began validating the content of exposed documents to prepare regulatory notifications. Oracle EBS environments often support procurement, payroll, accounts payable, and student finance workflows, which increases the amount of personal and banking data stored in these systems. The incident also proves how supply chain flaws or third-party software issues can lead to broad operational impacts when exploited at scale.
University officials stated that they are reviewing the exposed data and will notify affected individuals through postal mail. They did not disclose how many people were impacted or provide additional details about the attackers. Public statements say that the review is ongoing and that regulatory reporting requirements will be met. External reporting tied the attack to the Clop group, which has previously taken credit for targeting similar Oracle EBS environments at other institutions. Security researchers noted that universities often rely on complex legacy systems that can be difficult to update quickly, making them attractive targets for threat actors who focus on enterprise resource planning software.
Reporting from The Record shows how the University of Phoenix incident fits into a much wider campaign tied to the Clop extortion group, which claims to have stolen data from “hundreds of companies” by exploiting a previously unknown flaw in Oracle EBS. The same group allegedly hit “Harvard University, Dartmouth College and the University of Pennsylvania,” proving how academic institutions remain high-value targets.
Carl Froggett, CIO at Deep Instinct, said universities operate in sprawling digital environments that make them inherently difficult to secure. “Higher-education institutions were never built to function as full-scale cyber defense operations, yet they are expected to protect research, students, employees, and operational data from both known and unknown threats,” he explained. His warning is direct: “The attack surface is no longer just your environment; it is every environment you depend on.”
ERP platforms store financial and administrative records in one place, which makes them attractive to attackers who seek high-value datasets.
Names, contact details, dates of birth, Social Security numbers, and banking information were identified among the compromised files.
Many institutions run similar Oracle EBS configurations, and attackers often scan for vulnerable services that can be exploited in the same campaign.
Current reporting indicates that this was a data theft event in which attackers exfiltrated files rather than encrypting systems.
They can monitor bank accounts, review statements for unfamiliar activity, and remain cautious of unsolicited messages that reference the university or financial services.