University of Phoenix Data Breach Exposes 3.5 Million Records via Oracle EBS Exploit
University of Phoenix suffered a major data breach affecting approximately 3.5 million individuals, including students, staff, and suppliers, after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, attributed to the Clop ransomware gang, resulted in the exposure of sensitive personal and financial information such as names, contact details, dates of birth, Social Security numbers, and bank account information. The incident was discovered on November 21, 2025, several months after the initial compromise in August, highlighting significant gaps in the university’s security monitoring and detection capabilities.
Following regulatory requirements, especially in Maine where over 9,000 residents were affected, the University of Phoenix issued formal notifications and offered complimentary identity theft protection services, including credit monitoring and fraud reimbursement. The breach has raised concerns about the adequacy of cybersecurity defenses in higher education and prompted the university to engage legal counsel and external experts to manage the response and notification process. The Clop ransomware group’s involvement and the exploitation of a critical Oracle EBS vulnerability underscore the evolving threat landscape facing educational institutions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Oracle acknowledges EBS zero-days and issues emergency patches
After initially asserting patched systems were safe, Oracle later acknowledged two zero-day vulnerabilities in Oracle E-Business Suite, CVE-2025-61882 and CVE-2025-61884, and released emergency fixes. This disclosure tied the University of Phoenix incident to a wider exploitation campaign.
Clop campaign expands through Oracle EBS zero-day attacks
By late 2025, a broader Clop-linked campaign exploiting Oracle E-Business Suite zero-days had impacted multiple organizations across sectors, including other universities and major enterprises. The activity involved data theft and extortion demands, with researchers and media attributing the operation to the Russian-speaking Clop group.
University of Phoenix offers identity protection to affected people
Following disclosure, the university began offering complimentary identity theft or identity protection services to impacted individuals. It also engaged legal and regulatory response processes related to the breach.
University of Phoenix discloses 3.5 million-person data breach
On 2025-12-22, the University of Phoenix publicly disclosed that a breach affected nearly 3.5 million individuals, including students, former attendees, staff, and suppliers. The disclosure included regulatory notifications, including in Maine, and described exposure of sensitive personal information.
University of Phoenix discovers the breach
The University of Phoenix detected the compromise on 2025-11-21, months after the initial intrusion. Reports indicate discovery came after the incident was publicly listed by Clop.
University of Phoenix breached via Oracle EBS zero-day
Attackers gained unauthorized access to the University of Phoenix environment on 2025-08-13, reportedly exploiting an Oracle E-Business Suite zero-day later identified as CVE-2025-61882. The intrusion led to the theft of sensitive personal and financial data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
University of Phoenix Data Breach – 3.5 Million+ Individuals Affected
cybersecuritynews.com
Open sourceUniversity of Phoenix Data Breach: 3.5M Individuals Affected
bankinfosecurity.com
Open sourceUniversity of Phoenix data breach impacts nearly 3.5 million individuals
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
University of Phoenix Data Breach via Oracle E-Business Suite Exploit
The University of Phoenix disclosed a significant data breach after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, detected on November 21, 2025, resulted in unauthorized access to sensitive personal and financial information, including names, contact details, dates of birth, Social Security numbers, and bank account information of numerous current and former students, employees, faculty, and suppliers. The incident was revealed after the university was listed on the leak site of a prominent Russian extortion group, believed to be the Clop ransomware gang, which has targeted multiple U.S. educational institutions through the same Oracle EBS vulnerability. The university's parent company, Phoenix Education Partners, filed a notice with the U.S. Securities and Exchange Commission (SEC), confirming the breach and stating that cybersecurity insurance would cover the response and remediation costs. While the attackers have not publicly disseminated the stolen data, the university is continuing its investigation and will notify affected individuals and regulatory entities. The breach is part of a broader campaign that has impacted other major universities, highlighting the risks associated with unpatched enterprise software vulnerabilities.
Mar 21, 2026
University of Pennsylvania Data Breach via Clop Exploitation of Oracle E-Business Suite
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), resulting in the theft of personal information from its systems. The Clop ransomware group is believed to be behind this attack, which targeted numerous Oracle EBS customers worldwide, including other Ivy League institutions such as Dartmouth College and Harvard University. The breach notification filed with Maine's Attorney General confirmed that at least 1,488 individuals were affected, though the total number of victims is likely higher. The university responded by patching its systems after Oracle released fixes and notified federal law enforcement. The attack was part of a broader campaign in which Clop exploited multiple vulnerabilities in Oracle EBS to steal large amounts of data from various organizations. The University of Pennsylvania only became aware of the breach after Oracle acknowledged the vulnerability and Clop began sending extortion emails to victim organizations. While the university has not disclosed the specific types of data stolen, it has stated that there is no evidence the information has been publicly disclosed or misused. The incident highlights the risks associated with unpatched enterprise software and the growing trend of ransomware groups exploiting zero-day vulnerabilities for data theft and extortion.
Mar 21, 2026
Envoy Air Data Breach via Oracle E-Business Suite Zero-Day Exploitation
Envoy Air, a major regional airline operating under American Airlines, experienced a significant data breach in October 2025 following a sophisticated ransomware attack. The breach was traced to the exploitation of a zero-day vulnerability, CVE-2025-61882, in Oracle’s E-Business Suite (EBS), which allowed unauthenticated remote code execution on unpatched systems. The Clop ransomware group, known for targeting large organizations, weaponized this vulnerability as part of a broader campaign affecting multiple industries worldwide. The attack campaign began in August 2025 and escalated through September, prompting Oracle to issue an emergency patch in early October. Envoy Air’s investigation revealed that approximately 26GB of internal business documents and commercial contacts were exfiltrated and later published on Clop’s leak site. However, the airline confirmed that no sensitive customer personally identifiable information (PII), loyalty program data, or flight operations systems were compromised. The breach was contained to non-operational, non-customer-facing IT assets, as corroborated by independent monitors and incident response teams. The incident highlighted the systemic risk posed by widespread adoption of enterprise resource planning (ERP) platforms like Oracle EBS, as other victims included higher education institutions and multinational corporations. Oracle’s October 2025 Critical Patch Update addressed 170 unique CVEs across 29 product families, with 20 patches specifically for Oracle EBS, including fixes for vulnerabilities that could be exploited remotely without authentication. The update included critical patches for multiple Oracle products, reflecting the urgency and severity of the vulnerabilities exploited in the campaign. Envoy Air worked closely with cybersecurity experts and law enforcement to contain the breach and implement remediation measures. The incident underscored the importance of timely patch management and the risks associated with unpatched enterprise software. The Clop group’s use of a zero-day exploit demonstrated the evolving tactics of ransomware operators targeting high-value enterprise systems. The breach also prompted industry-wide reviews of Oracle EBS deployments and accelerated the adoption of security best practices. Oracle’s rapid response and emergency patch release were crucial in mitigating further exploitation. The event serves as a cautionary tale for organizations relying on complex ERP platforms, emphasizing the need for proactive vulnerability management. The breach’s limited impact on customer-facing systems was attributed to effective network segmentation and incident response protocols. The campaign’s global reach highlighted the interconnected nature of modern enterprise IT environments and the potential for cascading risks.
Mar 21, 2026