The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025.
Founded in 1976 and headquartered in Phoenix, Arizona, UoPX is a private for-profit university with nearly 3,000 academic staff and over 100,000 enrolled students.
The university disclosed the data breach on its official website on Tuesday, while its parent company, Phoenix Education Partners, filed an 8-K form with the U.S. Securities and Exchange Commission (SEC).
UoPX said it detected the incident on November 21 (after the extortion group added it to its data leak site) and noted that the attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal a wide range of sensitive personal and financial information belonging to students, staff, and suppliers.
“We believe that the unauthorized third-party obtained certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers with respect to numerous current and former students, employees, faculty and suppliers was accessed without authorization,” the school said.
“We continue to review the impacted data and will provide the required notifications to affected individuals and regulatory entities. Affected individuals will soon receive a letter via US Mail outlining the details of the incident and next steps to take.”
A spokesperson for the University of Phoenix didn’t respond when BleepingComputer reached out today to request more details about the breach, including the identity of the attackers and the total number of individuals affected.
Although the UoPX has yet to attribute the incident to a specific cybercrime group, based on the details shared so far, the breach is part of a Clop ransomware gang extortion campaign in which the gang has exploited a zero-day flaw (CVE-2025-61882) to steal sensitive documents from many victims’ Oracle EBS platforms since early August 2025.
As part of the same series of data theft attacks, Clop has also targeted other universities in the United States, including Harvard University and the University of Pennsylvania, which have also confirmed Oracle EBS breaches impacting their students and staff.
The extortion group also compromised the Oracle EBS instances of dozens of companies worldwide, including GlobalLogic, Logitech, The Washington Post, and the American Airlines subsidiary Envoy Air, and leaked the stolen data on its dark web site.
In the past, Clop was also behind data theft campaigns targeting GoAnywhere MFT, Accellion FTA, Cleo, and MOVEit Transfer customers, the latter affecting more than 2,770 organizations.
Since late October, the systems of several U.S. universities have also been breached in a series of voice phishing attacks, with Harvard University, University of Pennsylvania, and Princeton University disclosing that the attackers breached systems used for development and alumni activities to steal the personal information of donors, staff, students, alumni, and faculty.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.