The University of Phoenix has confirmed that nearly 3.5 million individuals were impacted by a data breach tied to a wider exploitation campaign targeting Oracle E-Business Suite (EBS).

The incident is part of a large-scale operation affecting more than 100 organizations and is linked to a financially motivated cybercrime group associated with the Cl0p ransomware ecosystem.

While highly sensitive personal and financial data was accessed, the university reports no evidence that its data has been publicly leaked at this time.

Oracle E-Business Suite is a widely used enterprise resource planning platform that manages payroll, financials, and human resources data for large organizations.

In mid-2025, attackers began exploiting previously unknown (zero-day) vulnerabilities in Oracle EBS to extract sensitive data from customer environments.

The campaign has been publicly claimed by the Cl0p ransomware group, though researchers assess the activity aligns with tactics historically associated with the FIN11 threat cluster.

The University of Phoenix confirmed it was targeted after being named publicly by attackers on November 20, 2025.

Internal investigation determined that unauthorized data access and exfiltration occurred between August 13 and August 22, 2025.

The compromised data includes names, dates of birth, Social Security numbers, and bank account and routing numbers, though the university stated the information was obtained “without means of access,” such as PINs or passwords.

Regulatory filings indicate approximately 3.5 million individuals were affected.

Attackers exploited zero-day vulnerabilities in Oracle EBS to bypass authentication controls and access backend data repositories.

The campaign focused on data theft rather than encryption, consistent with extortion-driven operations where stolen data is leveraged for pressure rather than immediate disruption.

In many cases involving other victims, attackers later published stolen data volumes ranging from hundreds of gigabytes to multiple terabytes.

To date, no University of Phoenix data has been observed on public leak sites.

The breach exposes affected individuals to long-term risks including identity theft, financial fraud, and account takeover.

For the institution, the incident brings regulatory scrutiny, legal exposure, and reputational damage, particularly given the scale of sensitive data involved.

The event also underscores the systemic risk posed by vulnerabilities in widely deployed enterprise software platforms.

This incident highlights how zero-day exploitation of enterprise systems can lead to mass compromise without user interaction.

Universities, which often manage large volumes of sensitive personal data, remain attractive targets for financially motivated threat actors.

The campaign reinforces the need for rapid patching, continuous monitoring, and defense-in-depth strategies around core business applications.

Security researchers note that Oracle EBS attacks reflect a broader trend toward targeting centralized enterprise platforms rather than endpoints.

The absence of leaked University of Phoenix data does not eliminate risk, as stolen information may still be traded privately or used in downstream fraud.

Experts emphasize that visibility gaps in legacy enterprise systems remain a key challenge for defenders.

Organizations relying on large enterprise platforms must treat third-party software risk as a top-tier security concern.

Zero-day exploitation continues to enable large-scale breaches before patches are available.

Data theft-focused attacks can be just as damaging as ransomware incidents.

Universities and public institutions remain high-value targets.

Timely detection and incident response can reduce downstream harm even after compromise.

Assume stolen data may be misused even if not publicly leaked.