University of Phoenix, Inc. disclosed a significant data breach affecting approximately 3.5 million individuals following an external system compromise discovered in November 2025.
The unauthorized access occurred on August 13, 2025, but remained undetected until November 21, 2025, creating a three-month window of exposure.
Breach Overview
The incident resulted from an external hacking attack targeting the educational institution’s systems.
While the exact attack vector has not been publicly detailed, the breach exposed personal identifiers combined with sensitive information belonging to current and former students, faculty, and potentially other individuals associated with the university.
Among those affected, 9,131 were Maine residents, triggering mandatory state notification requirements.
University of Phoenix, headquartered at 4035 South Riverpoint Parkway in Phoenix, Arizona, confirmed the breach through formal written notification sent to affected individuals on December 22, 2025.
The disclosure followed investigation and notification procedures required under data protection laws, including Maine’s data breach notification statute.
The university has committed to providing identity theft protection services to affected individuals at no cost.
According to correspondence filed with state regulators, the company is offering comprehensive protective services, though specific details regarding the provider and service duration were contained in supplementary materials provided to authorities.
Constangy, Brooks, Smith & Prophete, LLP, serving as legal counsel for the university, coordinated the breach notification process.
Partner Sean B. Hoar confirmed compliance with all applicable notification requirements and regulatory obligations across affected jurisdictions.
The breach represents a substantial incident requiring notification to multiple state attorneys general and consumer reporting agencies.
The exposure of nearly 3.5 million individuals’ personal information places this incident among the more significant education sector breaches reported in 2025.
Maine authorities received formal notification due to the threshold exceeding 1,000 state residents affected by the compromise.
The three-month detection window raises questions about the institution’s security monitoring capabilities and incident response procedures.
Educational institutions have increasingly become targets for cyber attackers seeking access to valuable personal and financial information maintained in student records and administrative systems.
Affected individuals are being advised to monitor their credit reports and take advantage of the offered identity theft protection services.
University of Phoenix has not disclosed additional details regarding remediation efforts, infrastructure improvements, or root cause analysis of the breach at this time.
The incident underscores ongoing cybersecurity challenges faced by higher education institutions managing vast repositories of sensitive student information.
Further updates regarding the investigation and security improvements are expected as the institution completes its formal incident review process.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.