University of Phoenix Breach Tied to Oracle Zero-Day Exposes Data of Nearly 3.5 Million People

Key Takeaways

• Nearly 3.5 Million Impacted: The University of Phoenix breach affects 3,489,274 current and former students, employees, faculty, and suppliers.
• Zero-day Exploitation: Attackers exploited a previously unknown vulnerability in Oracle E-Business Suite, allowing data theft months before detection.
• Delayed Discovery: The intrusion occurred in August but was only detected in November after the university appeared on the Clop leak site.
• Highly Sensitive Data Exposed: Compromised information includes Social Security numbers, dates of birth, and bank account and routing numbers.

Deep Dive

The University of Phoenix has confirmed that a cyberattack linked to a previously unknown software flaw has compromised the personal and financial data of nearly 3.5 million individuals, marking one of the largest education-sector breaches disclosed this year.

The breach dates back to August, when attackers accessed the university’s network by exploiting a zero-day vulnerability in Oracle’s E-Business Suite financial application. At the time, the intrusion went undetected. The university said it only became aware of the incident on November 21, after the Clop ransomware group publicly named UoPX on its data leak site.

In early December, UoPX disclosed the breach on its website, while Phoenix Education Partners, its parent company, filed a Form 8-K with the U.S. Securities and Exchange Commission to notify investors of the incident. According to the university, the attackers gained access to a wide range of sensitive information belonging to current and former students, employees, faculty, and suppliers. That data includes names and contact details, dates of birth, Social Security numbers, and bank account and routing numbers.

“We believe that the unauthorized third party obtained certain personal information,” the university said, adding that the information was accessed without authorization during the attack.

At the time of the initial disclosure, Andrea Smiley, UoPX’s Vice President for Public Relations, told BleepingComputer that the university was still assessing the scope of the compromised data and would notify affected individuals and regulators as required.

This week, the university put a precise figure on the damage. In notification letters filed with the office of Maine’s Attorney General and mailed to impacted individuals, UoPX confirmed that the breach affects 3,489,274 people.

In response, the university is offering free identity protection services to those impacted, including 12 months of credit monitoring, identity theft recovery support, dark web monitoring, and a $1 million fraud reimbursement policy.

While UoPX has not formally named the perpetrators, the details disclosed so far align closely with a broader extortion campaign carried out by the Clop. The group has been exploiting a zero-day vulnerability tracked as CVE-2025-61882 since early August to steal data from organizations running Oracle E-Business Suite platforms.

The incident highlights a recurring pattern in large-scale breaches involving enterprise software: attackers move quickly to exploit newly discovered flaws, while victims may not discover the intrusion until weeks or months later, often after stolen data has already been publicly advertised.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.