TL;DR: Between August 13 and August 22, 2025, the Cl0p ransomware gang exploited a critical Oracle zero-day (CVE-2025-61882) to steal Social Security numbers, bank account details, and birth dates from 3,489,274 University of Phoenix students, employees, faculty, and suppliers. The university didn't detect the breach until November 21 — only after Cl0p posted the data on its leak site. Notification letters went out December 22. If you're affected, you have until March 22, 2026 to enroll in free credit monitoring through IDX.
Three Months of Silence
Here's what makes this breach especially grim: the attackers were in and out in 10 days. The university took 91 days to notice.
Cl0p exploited CVE-2025-61882 — a critical flaw in Oracle's E-Business Suite scoring 9.8 out of 10 on the severity scale — to bypass authentication entirely. No passwords needed. No phishing required. Just a direct path into University of Phoenix's enterprise systems through Oracle's Concurrent Processing module [1].
The attack window ran from August 13 to August 22, 2025. During those 10 days, Cl0p exfiltrated data on nearly 3.5 million people without triggering a single alarm [2].
Oracle patched the vulnerability on October 4, 2025 — more than six weeks after the breach. University of Phoenix didn't discover the intrusion until November 21, when Cl0p posted the stolen data on its dark web leak site [3].
Finding out you've been breached because the criminals announced it publicly is not a cybersecurity program. It's a notification service run by your attackers.
What Was Stolen
According to the SEC filing from parent company Phoenix Education Partners, Inc. (PXED) on December 2, 2025, the compromised data includes [4]:
- Names and contact information
- Dates of birth
- Social Security numbers
- Bank account and routing numbers
The total count: 3,489,274 people, as reported to the Maine Attorney General's office [2].
That covers current students, former students, employees, faculty, and suppliers. If you've had any relationship with University of Phoenix — even years ago — your data may be in this haul.
Cl0p: Serial Enterprise Hackers
This wasn't a random attack. Cl0p — a Russian-speaking cybercrime operation — specializes in finding zero-day vulnerabilities in enterprise software and exploiting them at industrial scale [5].
Their playbook hasn't changed in years: find a flaw, exploit it across as many organizations as possible before anyone notices, exfiltrate data silently, then list the victims on their leak site and wait for ransom payments.
University of Phoenix was one of at least 103 organizations hit in Cl0p's Oracle EBS campaign. Other confirmed victims include Harvard, Dartmouth, the University of Pennsylvania, American Airlines' subsidiary Envoy Air, Korean Air, Logitech, Canon, and the Washington Post [5].
Cl0p even briefly listed Oracle itself on its leak site on November 20, 2025, with the message: "The company doesn't care about its customers." The entry was removed shortly after [3].
That might be the most honest thing a ransomware gang has ever said.
The Detection Problem
The 91-day gap between breach and discovery is bad, but it's not unusual. According to IBM's 2025 Cost of a Data Breach Report, the average time to identify a breach is 194 days. University of Phoenix actually beat the average — but only because the attackers outed themselves [6].
Without Cl0p's leak site posting, this breach could have gone undetected for months longer. That's the uncomfortable reality of enterprise security: many organizations only learn they've been breached when the stolen data shows up somewhere public.
Phoenix Education Partners told the SEC that "management currently believes the incident will not have a material adverse effect on its business operations or student programming." They also noted they carry cybersecurity insurance [4].
That's nice for the company. Less comforting for the 3.5 million people whose SSNs and bank accounts are now in criminal hands.
The Lawsuits Have Started
At least two class action lawsuits have already been filed [7]:
- Pointer v. University of Phoenix and Oracle — filed in the Western District of Texas. Names both the university and Oracle as defendants, arguing both failed to protect student data.
- Rico and Soliz v. University of Phoenix — filed in the District of Arizona by two former students alleging negligence.
Naming Oracle as a co-defendant is notable. It signals that affected individuals — and their lawyers — are questioning whether the software vendor bears responsibility for the zero-day that made this breach possible.
What You Need to Do
If you received a notification letter, act before March 22, 2026. If you haven't received one but have any history with University of Phoenix, act anyway.
Enroll in Free Monitoring (Deadline: March 22)
University of Phoenix is offering 12 months of IDX identity protection: credit monitoring, dark web monitoring, and a $1 million fraud reimbursement policy. Enroll at response.idx.us/uphoenix or call 1-833-353-7866. You'll need the unique code from your notification letter.
Freeze Your Credit Now
Contact Equifax (1-800-349-9960), Experian (1-888-397-3742), and TransUnion (1-888-909-8872) to place credit freezes. This stops anyone from opening new accounts using your stolen SSN. Free, takes 15 minutes, and is the single most effective step you can take.
Watch Your Bank Accounts
Bank account and routing numbers were stolen. Set up transaction alerts with your bank. Review statements weekly. If you see anything unfamiliar — even a small test charge — report it immediately and consider opening a new account.
File an IRS Identity Protection PIN
With your SSN and birth date compromised, fraudulent tax filings are a real risk. Request an IP PIN from the IRS at irs.gov/ippin. This prevents anyone else from filing taxes using your Social Security number.
The Bigger Picture
University of Phoenix is the largest single victim in Cl0p's Oracle EBS campaign by headcount. But it's part of a pattern that should concern everyone who's ever given personal data to a university, employer, or government contractor.
These organizations all depend on the same handful of enterprise software platforms — Oracle, SAP, Salesforce, Workday. When one of those platforms has a critical vulnerability, the blast radius isn't one organization. It's hundreds. Sometimes thousands.
Cl0p knows this. That's why they keep targeting enterprise software supply chains instead of individual companies. Why hack one university when you can hack the software that runs all of them?
Until enterprise software vendors face real accountability for zero-day vulnerabilities — and organizations get serious about detecting intrusions faster than 91 days — this cycle will repeat. Cl0p's next mass-exploitation campaign isn't a question of if. It's when.
References
- Brilliance Security Magazine — University of Phoenix Discloses 3.5M-Record Data Breach Linked to Oracle EBS Zero-Day
- BleepingComputer — University of Phoenix data breach impacts nearly 3.5 million individuals
- Infosecurity Magazine — Clop Ransomware Group Linked to 3.5m University of Phoenix Breach
- SecurityWeek — 3.5 Million Affected by University of Phoenix Data Breach
- SecurityWeek — Nearly 30 Alleged Victims of Oracle EBS Hack Named on Cl0p Ransomware Site
- IBM — Cost of a Data Breach Report 2025
- Top Class Actions — University of Phoenix class action claims data breach exposed 3.5M students' PII