The University of Phoenix has confirmed a major data breach affecting nearly 3.5 million current and former students, employees, faculty and suppliers, which followed an exploit by the Clop ransomware group in November.
Clop is a prolific cybercrime group known for large-scale data-extortion attacks that focus on exploiting “zero-day” or yet-unpatched vulnerabilities in widely used enterprise software to steal sensitive data rather than encrypt systems.
The intrusion was first detected on Nov. 21, but only after Clop listed the University of Phoenix on its dark-web leak site. According to a report today by Bleeping Computer, further investigation found that the attackers gained unauthorized access in August 2025. They leveraged a previously unknown flaw in Oracle Corp.’s E-Business Suite to move laterally into systems containing personal and financial records.
The vulnerability exploited by Clop was first detailed publicly in early November when it was reported that Clop-linked hackers had been exploiting the vulnerability since at least September after executives at multiple companies began receiving emails alleging that attackers had exfiltrated financial and operational data from their Oracle EBS systems.
The data stolen from the University of Phoenix included full names, contact details, dates of birth, Social Security numbers and bank account and routing numbers.
The university itself has not pointed the finger at Clop, but given what is already known about the group and its exploitation of Oracle EBS, including claiming publicly to have done so, there is little doubt about the origins of the attack.
“Clop has been on a rampage this year, targeting zero-day vulnerabilities in software used by large enterprises,” Paul Bischoff, consumer privacy advocate at product comparison site Comparitech, told News via email. “Specifically, it targets Oracle’s E-Business Suite and the Cleo file transfer software. This attack on the University of Phoenix is most likely related to the former.”
In response to the breach, the University of Phoenix has begun notifying affected individuals through mail and is offering 12 months of free identity protection services, including credit monitoring, dark-web surveillance and a $1 million fraud reimbursement policy to help mitigate the fallout.
Perhaps surprisingly, the breach is one of the largest to have occurred in 2025.
“According to our data, this is the fourth-largest ransomware attack in the world this year (based on records affected),” said Rebecca Moody, head of data research at Comparitech. “It highlights the ongoing threat that companies face via ransomware and not just via attacks on their own systems.”
Given that it’s public knowledge that Clop was exploiting Oracle EBS weeks before the University of Phoenix found that it had been targeted as well, the breach highlights the urgent and ongoing need for continuous patching, robust network segmentation and proactive threat hunting, especially around third-party platforms that serve as the backbone of educational institutions and companies.
Photo: Wikimedia Commons
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
