University of Phoenix Data Breach Exposes 3.5 Million Records via Oracle EBS Exploit
University of Phoenix suffered a major data breach affecting approximately 3.5 million individuals, including students, staff, and suppliers, after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, attributed to the Clop ransomware gang, resulted in the exposure of sensitive personal and financial information such as names, contact details, dates of birth, Social Security numbers, and bank account information. The incident was discovered on November 21, 2025, several months after the initial compromise in August, highlighting significant gaps in the university’s security monitoring and detection capabilities.
Following regulatory requirements, especially in Maine where over 9,000 residents were affected, the University of Phoenix issued formal notifications and offered complimentary identity theft protection services, including credit monitoring and fraud reimbursement. The breach has raised concerns about the adequacy of cybersecurity defenses in higher education and prompted the university to engage legal counsel and external experts to manage the response and notification process. The Clop ransomware group’s involvement and the exploitation of a critical Oracle EBS vulnerability underscore the evolving threat landscape facing educational institutions.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
University of Phoenix Data Breach via Oracle E-Business Suite Exploit
The University of Phoenix disclosed a significant data breach after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, detected on November 21, 2025, resulted in unauthorized access to sensitive personal and financial information, including names, contact details, dates of birth, Social Security numbers, and bank account information of numerous current and former students, employees, faculty, and suppliers. The incident was revealed after the university was listed on the leak site of a prominent Russian extortion group, believed to be the Clop ransomware gang, which has targeted multiple U.S. educational institutions through the same Oracle EBS vulnerability. The university's parent company, Phoenix Education Partners, filed a notice with the U.S. Securities and Exchange Commission (SEC), confirming the breach and stating that cybersecurity insurance would cover the response and remediation costs. While the attackers have not publicly disseminated the stolen data, the university is continuing its investigation and will notify affected individuals and regulatory entities. The breach is part of a broader campaign that has impacted other major universities, highlighting the risks associated with unpatched enterprise software vulnerabilities.
3 months agoUniversity of Pennsylvania Data Breach via Clop Exploitation of Oracle E-Business Suite
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), resulting in the theft of personal information from its systems. The Clop ransomware group is believed to be behind this attack, which targeted numerous Oracle EBS customers worldwide, including other Ivy League institutions such as Dartmouth College and Harvard University. The breach notification filed with Maine's Attorney General confirmed that at least 1,488 individuals were affected, though the total number of victims is likely higher. The university responded by patching its systems after Oracle released fixes and notified federal law enforcement. The attack was part of a broader campaign in which Clop exploited multiple vulnerabilities in Oracle EBS to steal large amounts of data from various organizations. The University of Pennsylvania only became aware of the breach after Oracle acknowledged the vulnerability and Clop began sending extortion emails to victim organizations. While the university has not disclosed the specific types of data stolen, it has stated that there is no evidence the information has been publicly disclosed or misused. The incident highlights the risks associated with unpatched enterprise software and the growing trend of ransomware groups exploiting zero-day vulnerabilities for data theft and extortion.
3 months agoEnvoy Air Data Breach via Oracle E-Business Suite Zero-Day Exploitation
Envoy Air, a major regional airline operating under American Airlines, experienced a significant data breach in October 2025 following a sophisticated ransomware attack. The breach was traced to the exploitation of a zero-day vulnerability, CVE-2025-61882, in Oracle’s E-Business Suite (EBS), which allowed unauthenticated remote code execution on unpatched systems. The Clop ransomware group, known for targeting large organizations, weaponized this vulnerability as part of a broader campaign affecting multiple industries worldwide. The attack campaign began in August 2025 and escalated through September, prompting Oracle to issue an emergency patch in early October. Envoy Air’s investigation revealed that approximately 26GB of internal business documents and commercial contacts were exfiltrated and later published on Clop’s leak site. However, the airline confirmed that no sensitive customer personally identifiable information (PII), loyalty program data, or flight operations systems were compromised. The breach was contained to non-operational, non-customer-facing IT assets, as corroborated by independent monitors and incident response teams. The incident highlighted the systemic risk posed by widespread adoption of enterprise resource planning (ERP) platforms like Oracle EBS, as other victims included higher education institutions and multinational corporations. Oracle’s October 2025 Critical Patch Update addressed 170 unique CVEs across 29 product families, with 20 patches specifically for Oracle EBS, including fixes for vulnerabilities that could be exploited remotely without authentication. The update included critical patches for multiple Oracle products, reflecting the urgency and severity of the vulnerabilities exploited in the campaign. Envoy Air worked closely with cybersecurity experts and law enforcement to contain the breach and implement remediation measures. The incident underscored the importance of timely patch management and the risks associated with unpatched enterprise software. The Clop group’s use of a zero-day exploit demonstrated the evolving tactics of ransomware operators targeting high-value enterprise systems. The breach also prompted industry-wide reviews of Oracle EBS deployments and accelerated the adoption of security best practices. Oracle’s rapid response and emergency patch release were crucial in mitigating further exploitation. The event serves as a cautionary tale for organizations relying on complex ERP platforms, emphasizing the need for proactive vulnerability management. The breach’s limited impact on customer-facing systems was attributed to effective network segmentation and incident response protocols. The campaign’s global reach highlighted the interconnected nature of modern enterprise IT environments and the potential for cascading risks.
4 months ago