University of Phoenix Data Breach Exposes 3.5 Million
â–Ľ Summary
– The Clop ransomware gang breached the University of Phoenix’s network in August 2025, stealing sensitive personal and financial data of nearly 3.5 million individuals.
– The attackers exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite financial application to access the data.
– The stolen information includes names, contact details, dates of birth, Social Security numbers, and bank account information of students, staff, and suppliers.
– This attack is part of a broader Clop extortion campaign that has also targeted other U.S. universities, including Harvard and the University of Pennsylvania.
– The University of Phoenix is offering affected individuals free identity protection services, including credit monitoring and a fraud reimbursement policy.
A significant data breach at the University of Phoenix has compromised the sensitive information of approximately 3.5 million individuals, including current and former students, employees, and suppliers. The incident, linked to the notorious Clop ransomware gang, exploited a critical vulnerability in the university’s financial software systems. This attack underscores the persistent threat cybercriminals pose to educational institutions and the vast amounts of personal data they manage.
The private, for-profit university detected unauthorized activity on November 21st, shortly after the Clop group listed the institution on its data leak website. An investigation revealed that attackers had gained access by exploiting a zero-day vulnerability in the Oracle E-Business Suite (EBS), a platform used for financial operations. This security flaw allowed the criminals to exfiltrate a trove of personal and financial records.
The stolen data includes highly sensitive details such as full names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers. The university has initiated a comprehensive review to determine the full scope of the impacted data and is in the process of notifying all affected parties as required by law. In filings with state authorities, the institution confirmed the breach impacted precisely 3,489,274 people.
In response to the incident, the University of Phoenix is offering affected individuals complimentary identity protection services. This package features 12 months of credit monitoring, identity theft recovery assistance, dark web surveillance, and a fraud reimbursement policy valued at up to $1 million. The university’s parent company, Phoenix Education Partners, formally reported the breach to the U.S. Securities and Exchange Commission in early December.
While the university has not officially named the perpetrators, evidence strongly points to the Clop ransomware operation. This group has been actively targeting organizations using the Oracle EBS software since August 2025, leveraging the same specific vulnerability. Other major academic institutions, including Harvard University and the University of Pennsylvania, have reported similar breaches tied to the same flaw in their Oracle systems.
The Clop gang is infamous for its large-scale data theft campaigns, having previously exploited vulnerabilities in widely-used file transfer solutions like GoAnywhere MFT and MOVEit Transfer. The U.S. Department of State is currently offering a substantial reward for information that could link the group’s activities to a foreign government, highlighting the severity with which these attacks are viewed.
This breach at the University of Phoenix is part of a disturbing trend of cyberattacks targeting the education sector. In recent months, several other universities have fallen victim to separate voice phishing schemes, compromising donor and alumni databases. These incidents collectively demonstrate the critical need for robust cybersecurity defenses and proactive threat monitoring within academic communities to protect the personal information of students and staff.
(Source: Bleeping Computer)
