The University of Phoenix has confirmed that a cybersecurity breach resulting from the exploitation of a zero-day vulnerability in Oracle’s E-Business Suite (EBS) affects 3,489,274 individuals.
The compromised data includes sensitive personal and financial information, and the university has now begun notifying affected individuals.
The breach was discovered on November 21, 2025, when the University of Phoenix identified suspicious activity in its Oracle EBS environment. The institution immediately engaged third-party cybersecurity experts and launched an investigation. Three days later, on November 24, it was confirmed that attackers had exploited a then-unknown Oracle EBS flaw to exfiltrate data over a ten-day period between August 13 and 22, 2025.
Oracle’s EBS is a widely used enterprise resource planning (ERP) platform that handles business functions such as HR, finance, and procurement. The University of Phoenix relied on this software for internal operations, and the breach did not disrupt its academic programs. However, the incident resulted in the unauthorized extraction of names, dates of birth, Social Security numbers, and bank account and routing numbers, though not credentials to access those accounts.
The University of Phoenix, a prominent online educational institution serving over 80,000 primarily adult learners, is a subsidiary of Phoenix Education Partners, Inc. It operates nationwide and is one of the largest for-profit universities in the US. The breach adds it to the growing list of organizations compromised via CVE-2025-61882, a zero-day vulnerability in Oracle EBS exploited by the Clop ransomware group. Similar attacks have affected major entities like Logitech and The Washington Post.
On December 22, 2025, the university began notifying affected individuals via written letters and is offering 12 months of free identity protection services through IDX. These include credit monitoring, dark web surveillance, a $1 million identity fraud reimbursement policy, and fully managed recovery support. Impacted individuals have until March 22, 2026, to enroll in these services.
Although no data leaks or extortion attempts have been publicly linked to this breach, the scale and nature of the stolen data raise concerns about potential downstream identity theft and fraud. As investigations continue, the university anticipates costs related to legal compliance, remediation, and cybersecurity enhancements, but does not expect a material impact on academic operations or financial health.
The university’s students and staff should remain vigilant for phishing attempts leveraging stolen data, and monitor their financial accounts for signs of fraudulent activity.
Leave a Reply