The University of Phoenix has confirmed that a recent cyberattack on its Oracle E-Business Suite (EBS) system has exposed the personal data of nearly 3.5 million individuals. The breach is part of a broader Oracle EBS hacking campaign linked to the Cl0p ransomware group and associated with the FIN11 threat actor cluster.
Attack Exploits Oracle EBS Vulnerabilities
The hackers exploited zero-day vulnerabilities in Oracle EBS, a widely used enterprise management platform, to gain access to sensitive customer data. The campaign, which targeted over 100 organizations including corporations and universities, likely began during the summer and became publicly known in early October 2025.
The University of Phoenix reported that it first became aware of the incident on November 21, 2025, one day after being publicly named as a target by the attackers. Subsequent investigations determined that unauthorized data access occurred between August 13 and August 22, 2025.
Data Compromised
The compromised information includes:
- Full names
- Dates of birth
- Social Security numbers
- Bank account and routing numbers
The university emphasized that, although banking information was exposed, the breach did not include any direct means to access victims’ accounts.
Scope and Impact
The Maine Attorney General’s Office confirmed that the breach affects nearly 3.5 million individuals. While Cl0p has released stolen data from other targeted organizations, there is no evidence that any University of Phoenix records have been published online.
Broader Campaign Targets Universities
The University of Phoenix is not the only higher education institution affected by the Oracle EBS campaign. Confirmed and alleged victims include:
- University of Pennsylvania
- Harvard University
- Dartmouth College
- Southern Illinois University
- Tulane University
Some of these institutions have had stolen data published by the attackers, though several have yet to publicly acknowledge breaches.
The incident underscores the growing risks associated with zero-day exploits in enterprise software and the increasing sophistication of ransomware-linked cybercriminal groups.
