**Clop Ransomware Gang Steals Data of 3.5 Million from University of Phoenix**
The Clop ransomware gang has stolen the personal and financial data of nearly 3.5 million individuals—including current and former students, staff, and suppliers—after breaching the University of Phoenix (UoPX) network in August 2025. The attack was part of a broader extortion campaign exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), a financial application used by the university.
UoPX, a private for-profit institution based in Phoenix, Arizona, detected the breach on November 21 after Clop listed the university on its data leak site. The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account information. In early December, the university publicly disclosed the incident and filed an 8-K report with the U.S. Securities and Exchange Commission (SEC).
On Monday, UoPX confirmed in notification letters filed with Maine’s Attorney General that 3,489,274 individuals were affected. The university is offering free identity protection services, including credit monitoring, dark web surveillance, and a $1 million fraud reimbursement policy.
While UoPX has not officially attributed the attack, the tactics align with Clop’s recent campaign targeting Oracle EBS vulnerabilities. Other U.S. universities, including Harvard and the University of Pennsylvania, have also reported similar breaches linked to the same exploit.
Clop has a history of high-profile data theft operations, previously targeting GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and Gladinet CentreStack. The U.S. Department of State has offered a $10 million reward for information connecting the gang’s activities to a foreign government.
In a separate wave of attacks since late October, multiple universities—including Harvard, Princeton, and the University of Pennsylvania—have also fallen victim to voice phishing (vishing) attacks, compromising systems tied to development and alumni activities.
Princeton University cybersecurity rating report: https://www.rankiteo.com/company/princeton-university
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
University of Phoenix cybersecurity rating report: https://www.rankiteo.com/company/university-of-phoenix
"id": "PRIORAUNI1766419165",
"linkid": "princeton-university, oracle, university-of-phoenix",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3,489,274 (current and former '
'students, employees, faculty, '
'and suppliers)',
'industry': 'Higher Education',
'location': 'Phoenix, Arizona, USA',
'name': 'University of Phoenix',
'size': 'Over 100,000 enrolled students and nearly '
'3,000 academic staff',
'type': 'Educational Institution'}],
'attack_vector': 'Exploitation of zero-day vulnerability (CVE-2025-61882)',
'customer_advisories': 'Free identity protection services offered (credit '
'monitoring, identity theft recovery, dark web '
'monitoring, $1 million fraud reimbursement policy)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3,489,274',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Social Security numbers, bank '
'account and routing numbers, dates of '
'birth, contact information)',
'type_of_data_compromised': ['Personal Information',
'Financial Information']},
'date_detected': '2025-11-21',
'date_publicly_disclosed': '2025-12-01',
'description': 'The Clop ransomware gang has stolen the data of nearly 3.5 '
'million University of Phoenix (UoPX) students, staff, and '
"suppliers after breaching the university's network in August "
'2025. The attackers exploited a zero-day vulnerability in the '
'Oracle E-Business Suite (EBS) financial application to steal '
'sensitive personal and financial information.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': '3,489,274 records',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Potential regulatory fines and legal actions',
'payment_information_risk': 'Yes',
'systems_affected': 'Oracle E-Business Suite (EBS) financial '
'application'},
'initial_access_broker': {'entry_point': 'Oracle E-Business Suite (EBS) '
'zero-day vulnerability '
'(CVE-2025-61882)'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'root_causes': 'Exploitation of zero-day '
'vulnerability in Oracle E-Business '
'Suite (CVE-2025-61882)'},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Clop'},
'references': [{'source': 'BleepingComputer'},
{'source': 'University of Phoenix Official Website'},
{'source': 'SEC Filing (8-K)'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'data protection laws '
'(e.g., FERPA, GDPR if '
'applicable)'],
'regulatory_notifications': "Filed with Maine's "
'Attorney General, SEC '
'filing'},
'response': {'communication_strategy': 'Public disclosure on official '
'website, SEC filing, notification '
'letters to affected individuals'},
'stakeholder_advisories': 'Notification letters mailed to affected '
'individuals, public disclosure on website',
'threat_actor': 'Clop ransomware gang',
'title': 'Clop Ransomware Gang Steals Data of 3.5 Million University of '
'Phoenix Students and Staff',
'type': 'Data Breach, Ransomware',
'vulnerability_exploited': 'CVE-2025-61882 (Oracle E-Business Suite)'}