Clop Ransomware Claims Massive 3.5M University of Phoenix Breach

A significant data breach impacting approximately 3.5 million people has been confirmed by the University of Phoenix, revealing that attackers infiltrated its systems last summer. The private for-profit university, based in Arizona, announced that the intrusion targeted its Oracle E-Business Suite financial software, leading to the theft of highly sensitive personal and financial records. Those affected include a vast number of current and former students, employees, faculty members, and suppliers connected to the institution.

Investigations pinpointed the unauthorized access to a specific window in August 2025, though the security failure went undetected for months. The university only became aware of the problem in late November, shortly after the notorious Clop ransomware gang listed the institution on its public data leak site. Official notifications filed with regulators and sent to impacted individuals confirm the massive scope, affecting millions across the United States.

The stolen information is particularly severe, encompassing full names, contact details, dates of birth, Social Security numbers, and bank account information including routing numbers. In a concerning detail, the university stated that while this data was accessed without permission, the bank details were obtained “without means of access,” a phrase that may indicate the data was stored in an unsecured format.

This attack is not an isolated event. It appears to be a major component of a widespread campaign where the Clop group exploited a critical, previously unknown flaw in Oracle’s E-Business Suite. This vulnerability, identified as CVE-2025-61882, has been used to compromise over a hundred organizations globally since coming to light in October. Security analysts note this breach now stands as one of the largest ransomware-related incidents of the year based on the volume of records stolen.

“It highlights the ongoing threat that companies face via ransomware – and not just via attacks on their own systems,” explained Rebecca Moody of Comparitech. “Attacks on third parties like Oracle often give hackers access to a multitude of companies via one central source.” While Clop has publicly claimed responsibility, some experts caution against definitively attributing the attack solely to the associated FIN11 threat actor. Other prestigious universities, including Harvard and Dartmouth, have also confirmed breaches linked to the same Oracle software flaw.

In response to the crisis, the University of Phoenix is providing complimentary identity protection services to all affected individuals. This offering includes a full year of credit monitoring, assistance with identity theft recovery, dark web surveillance, and an insurance policy covering up to $1 million in fraud losses. Cybersecurity advocates strongly recommend that anyone notified take immediate advantage of these services.

“This will give them a leg up in detecting if bad actors are attempting to use the data gathered from the breach for nefarious purposes,” said consumer privacy advocate Chris Hauk.

The incident casts a harsh light on persistent cybersecurity vulnerabilities within the higher education sector. These institutions manage vast troves of valuable personal and financial data, making them attractive and repeated targets for sophisticated cybercriminal operations. Security leaders point to a dangerous trend of threat actors focusing on centralized platforms used by multiple organizations to maximize the impact of a single attack.

“This breach underscores a troubling pattern we’ve seen throughout 2025,” said Ensar Seker, CISO of SOCRadar. “Threat actors like Clop continue to weaponize zero-day vulnerabilities and mass data exfiltration campaigns against large, centralized educational platforms.” As of now, none of the stolen University of Phoenix data has been publicly released, even as the attackers have leaked files from other victims in the same campaign.

(Source: InfoSecurity Magazine)