Ransomware Gang Exploits Oracle Zero-Day to Steal Data of 3.5 Million University of Phoenix Students and Staff

The University of Phoenix has become the latest high profile casualty in a sweeping ransomware and data extortion campaign that is reshaping how attackers target higher education and enterprise software at scale.

In a disclosure that surfaced quietly in early December, the for profit university confirmed that attackers gained unauthorized access to sensitive systems months earlier and ultimately exfiltrated personal and financial data tied to nearly 3.5 million people. The affected population spans current and former students, faculty, staff, and third party suppliers, placing the incident among the largest education sector breaches of the year.

The breach traces back to August, when attackers exploited a previously unknown vulnerability in Oracle’s widely used enterprise financial software. According to filings submitted by Phoenix Education Partners, the university’s parent company, attackers remained undetected until November 21, when the institution appeared on a ransomware leak site linked to the Clop cybercrime group.

Investigators say the attackers leveraged a zero day flaw in Oracle E Business Suite to siphon off data that includes names, contact details, dates of birth, Social Security numbers, and banking information. The university later confirmed the scope of the exposure in notification letters filed with the Maine Attorney General’s office, placing the total number of affected individuals at 3,489,274.

The university has since begun offering free identity protection services, including credit monitoring, identity theft recovery assistance, dark web monitoring, and a fraud reimbursement policy of up to one million dollars. While such measures have become standard post breach responses, they do little to address the systemic risk facing institutions that rely on complex enterprise platforms with deep access to financial and identity data.

Security researchers say the University of Phoenix incident is part of a broader extortion campaign tied to Clop, a ransomware group known for exploiting zero day vulnerabilities in popular file transfer and enterprise systems. In previous years, the group has targeted platforms including MOVEit Transfer, Accellion FTA, GoAnywhere MFT, Cleo, and CentreStack. The current campaign marks a shift toward exploiting core financial infrastructure embedded inside universities and other large organizations.

Other universities have already felt the impact. Harvard University and the University of Pennsylvania have both confirmed breaches involving Oracle E Business Suite during the same time period, raising concerns that higher education has become a prime testing ground for attackers looking to maximize data value while minimizing resistance. In parallel, several Ivy League schools have also disclosed separate voice phishing attacks since October that compromised donor and alumni systems, underscoring the sector’s expanding attack surface.

The growing role of automation and artificial intelligence in these attacks is drawing increased scrutiny from security leaders and policymakers alike. Hom Bahmanyar, Global Enablement Officer at Ridge Security Technology Inc., said the University of Phoenix breach reflects a broader escalation that organizations are struggling to keep pace with.

“As 2025 comes to a close, it’s evident that cybersecurity attacks surged dramatically over the past year, fueled by threat actors increasingly leveraging AI to launch more sophisticated and effective attacks.

“The University of Phoenix data breach was disclosed publicly on December 21 but will likely not be the final breach reported this year. This data breach serves as a stark reminder for security and risk management leaders that AI-driven threats can be detected accurately and in a timely manner only through the adoption of AI-powered security validation platforms. AI-powered threat exposure management is no longer a nice-to-have but a must-have.”

Federal authorities are also paying close attention. The U.S. Department of State currently offers a ten million dollar reward for information linking Clop’s operations to a foreign government, signaling concerns that some ransomware campaigns may intersect with state aligned cyber activity.

For universities, the lesson is becoming increasingly difficult to ignore. As institutions modernize administrative systems and centralize sensitive data, they inherit the same enterprise scale risks faced by multinational corporations. The University of Phoenix breach shows that when attackers find a single flaw in widely deployed software, the fallout can ripple across millions of lives in a matter of weeks.