The University of Phoenix has confirmed a ransomware attack that exposed the personal and financial data of approximately 3.49 million individuals.
3.4 Million Impacted In University Of Phoenix Ransomware Attack
The University of Phoenix has confirmed that a cyberattack exposed the personal and financial information of approximately 3.49 million individuals, including current and former students, faculty, staff, and suppliers. The breach has been attributed to the Clop ransomware group, which used a previously unknown vulnerability in Oracle’s E-Business Suite to gain unauthorized access to the university’s systems.
Although the incident occurred on August 13, 2025, it remained undiscovered until November 21, when the attackers posted evidence of the stolen data on their public leak site.
The university has since begun notifying those affected and regulatory authorities, offering identity protection services while continuing its investigation.
Why It Matters: Higher education institutions are frequently targeted by cybercriminals due to the large volumes of personal and financial data they collect. This incident affects millions of individuals and reveals the risks associated with enterprise-level software vulnerabilities that go unnoticed for extended periods of time.
Oracle EBS Vulnerability Exploited: The Clop ransomware group used a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882) to breach the university’s network. The flaw allowed unauthorized access to systems that contained financial and personal records. This same vulnerability has been used in recent attacks on other U.S. universities such as Harvard. Investigators believe the exploit was part of a wider, organized campaign to steal data from institutions using Oracle’s platform.
Sensitive Data Stolen: The breach exposed names, Social Security numbers, birth dates, addresses, and banking details of individuals attending and affiliated with the university. The nature and scale of the exposure place a large population of individuals at risk and opens the door to financial fraud and identity theft.
Delayed Detection: The breach occurred in August but was not discovered until November 21, after Clop made the attack public. This delay suggests that the university’s internal security controls were not capable of detecting unauthorized access within a reasonable timeframe. The attackers maintained system access for more than three months before any alerts were triggered.
Support Offered to Victims: The university is providing one year of credit monitoring, identity theft recovery, dark web monitoring, and up to $1 million in fraud reimbursement. Notification letters have been sent to affected individuals, with legal teams ensuring compliance with state-specific data breach laws, including mandatory reporting in Maine.
Investigation Ongoing: A regulatory filing was made with the SEC, and the university has acknowledged that a formal internal investigation is in progress. So far, there has been no detailed public explanation of what specific steps are being taken to prevent similar incidents in the future, though additional disclosures are expected.
