University of Phoenix Data Breach Exposes 3.5 Million in Clop Ransomware Campaign
The University of Phoenix disclosed a massive data breach affecting nearly 3.5 million individuals, including current and former students, staff, faculty, and suppliers. Attackers exploited a zero-day vulnerability (CVE-2025-61882) in the university’s Oracle E-Business Suite (EBS) financial application, gaining unauthorized access between August 13 and 22, 2025. The intrusion went undetected until November 21, one day after the Clop ransomware gang listed the university on its data leak site.
The breach compromised sensitive data, including:
- Names and contact information
- Dates of birth
- Social Security numbers
- Bank account and routing numbers (though the university noted these were accessed "without means of access")
The attack is part of a broader campaign targeting over 100 organizations across multiple sectors. Security researchers attribute the operation to Clop, though some hesitate to confirm sole involvement by the FIN11 threat group. Other affected U.S. universities include Harvard, the University of Pennsylvania, and Dartmouth College.
Despite the scale—ranked as the fourth-largest ransomware attack globally in 2025—no University of Phoenix data has been publicly leaked as of this report. The university is offering free identity protection services, including credit monitoring, dark web monitoring, and fraud reimbursement, to impacted individuals.
The incident highlights systemic vulnerabilities in higher education, with threat actors increasingly exploiting zero-day flaws in centralized platforms to maximize data exfiltration. Education remains a prime target due to its vast repositories of personal and financial information.
Source: https://www.infosecurity-magazine.com/news/university-phoenix-breach-clop/
ORACLE FINANCIAL SERVICES SOFTWARE LIMITED cybersecurity rating report: https://www.rankiteo.com/company/oracle-financial-services-software-limited
"id": "ORA1766513091",
"linkid": "oracle-financial-services-software-limited",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3,489,274',
'industry': 'Higher Education',
'location': 'Phoenix, Arizona, USA',
'name': 'University of Phoenix',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'Massachusetts, USA',
'name': 'Harvard University',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'Pennsylvania, USA',
'name': 'University of Pennsylvania',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'New Hampshire, USA',
'name': 'Dartmouth College',
'size': 'Large',
'type': 'Educational Institution'}],
'attack_vector': 'Exploitation of zero-day vulnerability in Oracle E-Business '
'Suite (CVE-2025-61882)',
'customer_advisories': 'Offering free identity protection services (12 months '
'of credit monitoring, identity theft recovery '
'assistance, dark web monitoring, and $1m fraud '
'reimbursement policy).',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3,489,274',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Contact information',
'Dates of birth',
'Social Security numbers',
'Bank account and routing '
'numbers']},
'date_detected': '2025-11-21',
'date_publicly_disclosed': '2025-12-02',
'description': 'A data breach affecting nearly 3.5 million individuals has '
'been disclosed by the University of Phoenix after attackers '
'gained unauthorized access to its systems during the summer. '
'The incident involved the theft of sensitive personal and '
'financial information belonging to current and former '
'students, staff, faculty, and suppliers.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Sensitive personal and financial information',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Oracle E-Business Suite (EBS) financial '
'application'},
'initial_access_broker': {'entry_point': 'Oracle E-Business Suite (EBS) '
'financial application'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights systemic weaknesses across higher '
'education and the ongoing threat of ransomware groups '
'exploiting zero-day vulnerabilities in third-party '
'software. It underscores the need for enhanced monitoring '
'and proactive security measures in educational '
'institutions.',
'motivation': 'Data exfiltration, potential ransomware',
'post_incident_analysis': {'root_causes': 'Exploitation of zero-day '
'vulnerability (CVE-2025-61882) in '
'Oracle E-Business Suite'},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Clop'},
'recommendations': 'Affected individuals should take advantage of free '
'identity protection services. Organizations should '
'prioritize patching known vulnerabilities, enhance '
'monitoring of critical systems, and implement robust '
'incident response plans.',
'references': [{'source': 'University of Phoenix Website'},
{'source': 'US Securities and Exchange Commission (SEC) 8-K '
'Filing'},
{'source': 'Maine Attorney General’s Office'},
{'source': 'Comparitech'},
{'source': 'Pixel Privacy'},
{'source': 'SOCRadar'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC 8-K filing',
'Maine Attorney '
'General '
'notification']},
'response': {'communication_strategy': 'Published notice on website and filed '
'8-K with SEC; submitted notification '
'letters to Maine Attorney General and '
'affected individuals'},
'threat_actor': 'Clop ransomware gang (suspected FIN11)',
'title': 'University of Phoenix Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'CVE-2025-61882'}