The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August.
Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with over 100,000 enrolled students and nearly 3,000 academic staff.
In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC).
UoPX said it detected the breach on November 21 (after Clop added it to its data leak site), noting that the attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal sensitive personal and financial information belonging to staff, suppliers, and current and former students.
"We believe that the unauthorized third-party obtained certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers with respect to numerous current and former students, employees, faculty and suppliers was accessed without authorization," the school stated.
Andrea Smiley, the university's Vice President for Public Relations, told BleepingComputer at the time that UoPX was "reviewing the impacted data and will provide the required notifications to affected individuals and regulatory entities."
On Monday, the school revealed in notification letters filed with the office of Maine's Attorney General and mailed to those whose data were stolen in the attack that the data breach affects 3,489,274 individuals.
UoPX now offers free identity protection services, including a $1 million fraud reimbursement policy, 12 months of credit monitoring, identity theft recovery, and dark web monitoring.
University of Phoenix entry on Clop's leak site (BleepingComputer)
While the school has yet to attribute the breach, based on the details shared so far, the attack is part of a Clop extortion campaign in which the ransomware gang exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal data from many victims' Oracle EBS platforms.
... continue reading