The University of Phoenix has disclosed a cybersecurity incident involving unauthorized access to sensitive personal data through a now-patched vulnerability in Oracle’s E-Business Suite (EBS).
The breach, publicly reported in a SEC 8-K filing submitted yesterday, impacted the ERP system used for managing internal operations but did not disrupt academic programs or business operations.
The breach was discovered on November 21, 2025, prompting a response that included assistance from third-party cybersecurity firms. According to the filing, the root cause was a previously unknown software vulnerability in Oracle EBS, which was exploited by an unauthorized third party to copy data from the University’s systems. The intrusion occurred in August 2025, several weeks before Oracle issued security patches in October. The company confirmed it applied the fixes promptly after release.
While the full scope is still under investigation, the compromised data includes names, contact details, dates of birth, Social Security numbers, and banking information. So far, there is no indication that the stolen data has been leaked or publicly exposed. Notifications to affected individuals and regulatory authorities are in progress.
The University of Phoenix is one of the largest online universities in the United States, serving over 80,000 students, primarily working adults. It offers undergraduate and graduate degree programs across business, healthcare, education, and technology fields.
Though Phoenix did not name the attacker or reference a specific vulnerability, the timeline and technical details align with a broader campaign disclosed in October 2025 involving the Clop ransomware group. That campaign exploited a critical zero-day (CVE-2025-61882) in Oracle EBS, allowing unauthenticated remote code execution via the BI Publisher integration. Mandiant and Oracle have linked this exploit to several confirmed breaches at high-profile organizations, including Logitech and The Washington Post.
The University of Phoenix becomes the latest known victim in a growing list of entities affected by this attack vector. While no extortion demands have been publicly reported in this case, other organizations compromised through the same vulnerability have received such demands from Clop.
Phoenix stated that it does not expect the incident to have a material impact on its financial condition or student-facing services. However, it acknowledged that it will incur costs related to investigation, remediation, legal compliance, and potential regulatory action. The company maintains a cybersecurity insurance policy that covers many of these expenses.
The investigation remains ongoing as the company continues to analyze the compromised environment and review the affected data. Phoenix Education Partners has confirmed it will notify impacted individuals and relevant regulatory authorities as required once the review is complete.
Leave a Reply