University of Phoenix Data Breach Exposes Personal Information of 3.4 Million Individuals

The University of Phoenix said attackers exploited a zero-day vulnerability in Oracle’s E-Business Suite, leading to a data breach that exposed sensitive personal information of more than 3.4 million individuals.

 

In a data security incident notice on its website, UoPX said that on November 21, it became aware of a breach in which threat actors exploited a previously unknown vulnerability in the Oracle EBS system the university uses to manage critical internal operations, including human resources, finance, and other functions.

 

Oracle E-Business Suite is a widely used ERP platform for managing functions like HR, finance, and supply chain. Clop exploited a critical zero-day flaw—primarily CVE-2025-61882, and possibly CVE-2025-61884—in the EBS BI Publisher component, allowing them to remotely execute arbitrary code without authentication.

 

An investigation into the incident revealed that “like many other organisations, including other colleges and universities, an unauthorised third-party exploited a previously unknown software vulnerability in Oracle EBS to exfiltrate certain data within the University’s Oracle EBS environment.

 

“We believe that the unauthorised third-party obtained certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers with respect to numerous current and former students, employees, faculty and suppliers accessed without authorisation,” the University said.

 

In a recent filing with the Office of Maine Attorney General, UoPX said that it has identified at least 3,489,274 individuals impacted by the incident.

 

UoPX added that it promptly applied the Oracle EBS software patches released in October 2025 to remediate the vulnerability. It also notified the appropriate law-enforcement authorities about the incident and will continue to cooperate with their ongoing investigation.

 

The institution advised affected individuals to monitor their credit, account, and benefit statements and report any suspicious activity to law enforcement. It has also provided complimentary identity protection and credit monitoring services through IDX.