According to the university’s statement, attackers obtained names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers for millions of students, alumni, employees, faculty and suppliers.
The university was affected by a vulnerability in Oracle E-Business Suite (EBS), an on-premises enterprise resource planning (ERP) tool used by thousands of industry and education clients, according to Oracle’s website.
A component of Oracle EBS allowed unauthorized users to gain ongoing access to the system and exfiltrate ERP data, according to an October 2025 blog post from cybersecurity company Oligo Security. Hackers on the dark web noticed the vulnerability in June, and Oracle issued a patch to correct it Oct. 4.
In the University of Phoenix’s case, hackers gained access in August, exercising an infiltration tactic that mimics legitimate data exportation rather than deploying malware, according to a Dec. 2 filing with the U.S. Securities and Exchange Commission. The university detected the breach on Nov. 21, 2025, and deployed the Oracle patch, according to the filing.
“This overall approach — in which threat actors have leveraged zero-day vulnerabilities, limited their network footprint, and delayed extortion notifications — almost certainly increases the overall impact, given that threat actors may be able to exfiltrate data from numerous organizations without alerting defenders to their presence,” Google threat intelligence experts wrote in a blog.
Those impacted by the breach will receive notifications in the mail with more details on the incident and an offer of complimentary identity protection services, according to the university statement.
“As of the date of this filing, the [University of Phoenix] believes that the incident will not have a material adverse effect on its business operations or student programming,” the university filing reads.
Google experts link the attack to the CL0P extortion brand, a cyber criminal operation that exploits vulnerabilities to steal sensitive data and pressure victims through public leaks. The same Oracle vulnerabilities are linked to recent incidents at Harvard University, the University of Pennsylvania and Dartmouth College, and may have impacted more than 100 universities, according to reporting by Brilliance Security Magazine in December.
