A data breach affecting nearly 3.5 million individuals has been disclosed by the University of Phoenix after attackers gained unauthorized access to its systems during the summer.
The incident involved the theft of sensitive personal and financial information belonging to current and former students, staff, faculty and suppliers.
The University of Phoenix, a private for-profit institution headquartered in Phoenix, Arizona, said the breach stemmed from an attack on its Oracle E-Business Suite (EBS) financial application.
Investigators determined that the intrusion occurred between August 13 and 22 2025, but it was not detected until November 21, one day after the university was named on the Clop ransomware gang’s data leak site.
In early December, the university published a notice on its website and its parent company, Phoenix Education Partners, filed an 8-K with the US Securities and Exchange Commission.
Notification letters submitted to the Maine Attorney General’s Office and affected individuals on Monday confirmed that 3,489,274 individuals were affected, including 9131 Maine residents.
The compromised data included:
-
Names and contact information
-
Dates of birth
-
Social Security numbers
-
Bank account and routing numbers
The university said the information was accessed without authorization but noted that bank details were obtained “without means of access.”
A Broader Campaign
The attack is believed to be part of a broader campaign in which the Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882. The campaign, which surfaced publicly in early October, has targeted more than 100 organizations across multiple sectors.
“According to our data, this is the fourth-largest ransomware attack in the world this year (based on records affected),” Rebecca Moody, head of data research at Comparitech, said.
“It highlights the ongoing threat that companies face via ransomware – and not just via attacks on their own systems. Attacks on third parties like Oracle often give hackers access to a multitude of companies (and their data) via one central source.”
While Clop has claimed responsibility, some security researchers have been reluctant to place attribution solely with the FIN11 threat group.
Other US universities confirmed to be affected by Oracle EBS breaches include Harvard University, the University of Pennsylvania and Dartmouth College.
Despite the scale of the incident, no University of Phoenix data has appeared publicly at the time of writing, even as attackers released large volumes of files allegedly stolen from other victims.
Education Remains a Target Sector
The University of Phoenix said it is offering free identity protection services to affected individuals. These include 12 months of credit monitoring, identity theft recovery assistance, dark web monitoring and a $1m fraud reimbursement policy.
“I would urge any individuals affected by this breach to take advantage of the university’s offer of free identity protection services,” said Chris Hauk, consumer privacy champion at Pixel Privacy.
“This will give them a leg up in detecting if bad actors are attempting to use the data gathered from the breach for nefarious purposes.”
Security leaders say the incident reflects systemic weaknesses across higher education.
“This breach underscores a troubling pattern we’ve seen throughout 2025,” explained Ensar Seker, CISO of SOCRadar.
“Threat actors like Clop continue to weaponize zero-day vulnerabilities and mass data exfiltration campaigns against large, centralized educational platforms.”
The breach ranks among the most significant education sector incidents reported in 2025. It also highlights the continued appeal of universities as targets for cybercriminals seeking access to extensive repositories of personal and financial data.