When the University of Phoenix quietly detected unusual activity in late November, the scale of the breach was not immediately clear. By early December, however, the picture had sharpened: nearly 3.49 million current and former students, faculty members, employees and suppliers had their sensitive data accessed without authorization.
The disclosure followed the university’s appearance on the data-leak site of Clop, a prolific ransomware and extortion group that has spent years exploiting weaknesses in widely used enterprise software. In a regulatory filing with the U.S. Securities and Exchange Commission, Phoenix Education Partners, the university’s parent company, confirmed that attackers had accessed names, contact details, dates of birth, Social Security numbers, and bank account and routing information.
For a private, for-profit institution with roughly 82,700 students and a workforce of about 3,400, the incident represents one of the largest known education-sector data breaches of the year.
A Zero-Day Flaw and a Familiar Playbook
According to the university, the attackers exploited a previously unknown vulnerability—a so-called zero-day flaw—in Oracle’s E-Business Suite, a financial application used by large organizations worldwide. The breach is believed to be part of a broader Clop campaign that began in early August, leveraging the same vulnerability, tracked as CVE-2025-61882, to siphon data rather than encrypt systems.
This approach has become Clop’s signature. In recent years, the group has carried out high-profile mass data-theft operations against customers of Accellion, MOVEit Transfer, GoAnywhere MFT, Cleo and other enterprise platforms. Universities, with vast troves of personal data and complex IT environments, have increasingly found themselves in the crosshairs.
Harvard University and the University of Pennsylvania have both acknowledged breaches tied to Oracle E-Business Suite in the same wave of attacks, reinforcing concerns that a single software flaw can cascade across institutions with little warning.
Fallout for Students, Staff and the Institution
The University of Phoenix said it is reviewing affected records and has begun notifying individuals and regulators, including state attorneys general. In filings with Maine’s Attorney General, the school confirmed the total number of impacted individuals and outlined mitigation steps.
Those affected are being offered free identity-protection services, including a $1 million fraud reimbursement policy, a year of credit monitoring, identity-theft recovery assistance and dark-web monitoring. Such measures, while now standard after large breaches, highlight the long tail of harm that can follow a single intrusion, particularly when Social Security and banking details are involved.
University officials have stopped short of publicly naming Clop as the attacker, but cybersecurity researchers say the technical details and timing align closely with the group’s known operations.
Higher Education in the Crosshairs of Cybercrime
The breach adds to mounting evidence that colleges and universities are facing a sustained cyber onslaught. Beyond ransomware groups, several U.S. institutions—including Harvard, Penn and Princeton—have recently disclosed voice-phishing attacks that compromised systems tied to alumni and donor data.
The stakes extend beyond privacy. The U.S. Department of State is offering a reward of up to $10 million for information linking Clop’s operations to a foreign government, reflecting fears that ransomware gangs may serve broader geopolitical aims.
For universities, the University of Phoenix incident is a stark reminder that the sector’s dependence on large, interconnected software platforms can magnify risk. As attackers increasingly favor data theft over system disruption, experts warn that breaches of this scale may become more common—leaving institutions to reckon not only with regulatory scrutiny, but with the erosion of trust among students and staff whose data they are meant to safeguard.
