University of Phoenix Data Breach Affects 3.5 Million Individuals

A widespread attack targeting Oracle E-Business Suite software has reverberated throughout the United States, with the University of Phoenix now confirmed as one of the victims. This attack has led to the exposure of personal information belonging to approximately 3.5 million students, staff, and partners of the institution.

The breach, discovered in November but occurring in August, involves notifications being sent to affected individuals, informing them that their data was compromised. According to the University’s statements, officials first became aware of a possible cybersecurity incident related to a vulnerability in the Oracle software on November 21. Subsequent investigations confirmed that an unauthorized third party had exploited this vulnerability between August 13 and August 22 to access sensitive information.

The data breach includes a range of sensitive personal details, such as names, dates of birth, Social Security numbers, as well as bank account and routing numbers. Andrea Smiley, the University’s vice president for public relations, stated that they are actively reviewing the gathered information and will fulfill regulatory requirements to notify affected parties.

While the University has not explicitly attributed the attack to any group, the ransomware gang Clop has listed it among non-paying victims on their data leak platform. Other educational institutions, including Harvard and Tulane, have also fallen prey to the same campaign. The situation is evolving, with more victims continuing to come to light, such as LKQ, which reported a similar breach linked to Oracle E-Business Suite software that was detected in early October.

The nature of the vulnerabilities indicates potential tactics utilized during the attack. Initial access may have involved exploiting a zero-day vulnerability, fitting into MITRE ATT&CK frameworks under tactics such as “Initial Access” and “Exploitation of Public-Facing Applications.” Persistence and privilege escalation techniques may have also been in play, allowing the attackers to maintain access and extract sensitive data from various organizations at scale.

Clop, also known as TA505, has established a pattern of launching coordinated attacks across multiple sectors, significant for targeting unsecured managed file-transfer solutions to exfiltrate data en masse. Their campaigns have become increasingly sophisticated, with signs of extensive preparatory work evident in their email extortion strategies.

After initially asserting that users of fully patched Oracle EBS were not at risk, the company revised its position to acknowledge a zero-day vulnerability, CVE-2025-61882, related to these incidents. Oracle has since released urgent patches and urged all users to update to safeguard their environments. Security experts emphasize the necessity for Oracle EBS users to monitor for signs of prior intrusions to mitigate any ongoing threats.

The current Oracle EBS attack appears to follow Clop’s established trend of targeting a diverse array of organizations, covering sectors such as healthcare, finance, and education. With the ongoing threats posed by cybercriminals, it remains crucial for businesses to maintain vigilance and ensure robust cybersecurity measures are in place to protect sensitive data.