Executive Summary

The University of Phoenix experienced a significant data breach affecting approximately 3.5 million individuals, including current and former students, staff, faculty, and suppliers. The breach was executed by the Clop ransomware group, which exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The initial compromise occurred on August 13, 2025, but was not detected until November 21, 2025, when the attackers publicly listed the university on their data leak site. Exposed data includes names, contact information, dates of birth, Social Security numbers, and bank account details. The university has since notified affected individuals and regulatory authorities, offering complimentary identity protection services. This incident is part of a broader campaign targeting higher education institutions through supply chain vulnerabilities in enterprise resource planning (ERP) systems, highlighting persistent sector-wide risks and the need for improved monitoring and rapid patching of legacy systems. All information in this summary is directly supported by the cited sources below.

Technical Information

The University of Phoenix breach was initiated through exploitation of a zero-day vulnerability, identified as CVE-2025-61882, in the Oracle E-Business Suite (EBS). This vulnerability enabled unauthenticated remote code execution (RCE) via HTTP, granting attackers full control over the affected system without requiring credentials. The flaw resided in the BI Publisher integration of the Oracle EBS Concurrent Processing component, a critical part of the university’s financial and administrative infrastructure. The attackers, identified as the Clop ransomware group, leveraged this vulnerability to gain access to sensitive data repositories within the university’s ERP environment.

The attack began on August 13, 2025, but remained undetected for over three months. Discovery occurred on November 21, 2025, after the Clop group added the University of Phoenix to its public leak site, a common tactic used to pressure victims into paying extortion demands. The university’s parent company, Phoenix Education Partners, subsequently filed an 8-K disclosure with the U.S. Securities and Exchange Commission (SEC), and formal notifications were sent to affected individuals and regulatory bodies on December 22, 2025. The breach triggered mandatory notification requirements in multiple states, including Maine, where over 9,000 residents were affected.

Technical analysis confirms that the attackers did not deploy ransomware to encrypt systems; instead, the focus was on data exfiltration for extortion. The Clop group is known for exploiting zero-day vulnerabilities in widely used enterprise software, including previous campaigns against GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and Gladinet CentreStack. In this incident, the attackers targeted the Oracle EBS environment, which supports procurement, payroll, accounts payable, and student finance workflows, thereby increasing the volume and sensitivity of exposed data.

The breach exposed personally identifiable information (PII) such as names, contact details, dates of birth, Social Security numbers, and banking information. The compromised data set included records of current and former students, staff, faculty, and suppliers, totaling 3,489,274 individuals. The university responded by restricting access to affected systems, initiating a comprehensive review of exposed records, and offering identity protection services, including credit monitoring and dark web monitoring.

The incident is mapped to several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1005 (Data from Local System), and T1041 (Exfiltration Over C2 Channel). No evidence of ransomware encryption (T1486) was observed in this case. Attribution to the Clop group is supported by direct evidence from leak site postings and alignment with known tactics, techniques, and procedures (TTPs) used in previous campaigns.

The breach underscores the vulnerability of higher education institutions to supply chain and third-party software attacks, particularly those involving complex, legacy ERP systems like Oracle EBS. The three-month detection gap highlights deficiencies in security monitoring and incident response capabilities, a common challenge in the sector. The incident also demonstrates the operational and regulatory risks associated with delayed breach detection and notification.

Affected Versions & Timeline

The breach specifically targeted the Oracle E-Business Suite (EBS) financial application, exploiting a zero-day vulnerability (CVE-2025-61882) present in the BI Publisher integration of the Concurrent Processing component. The affected environment included systems supporting procurement, payroll, accounts payable, and student finance operations.

The timeline of key events is as follows: On August 13, 2025, attackers gained unauthorized access to the university’s systems via the Oracle EBS zero-day. The breach remained undetected until November 21, 2025, when the Clop group publicly listed the university on its leak site. Formal notifications to affected individuals and regulatory authorities were issued on December 22, 2025. The university continues to investigate the root cause and implement remediation measures.

The detection delay of over three months allowed attackers to access and exfiltrate a substantial volume of sensitive data. The breach affected more than 3.5 million individuals, including 9,131 Maine residents, triggering state-specific notification requirements. The university has not yet disclosed additional details regarding infrastructure improvements or comprehensive remediation efforts, but ongoing investigations and regulatory compliance activities are underway.

Threat Activity

The threat activity in this incident is attributed to the Clop ransomware group, a well-known cybercriminal organization specializing in data theft and extortion campaigns. The group exploited a previously unknown vulnerability in the Oracle E-Business Suite (EBS), enabling remote code execution and unauthorized access to sensitive data. The attack did not involve ransomware encryption; instead, the focus was on exfiltrating data for extortion purposes.

The Clop group has a documented history of targeting organizations through supply chain vulnerabilities in widely used enterprise software. In this campaign, the group targeted multiple higher education institutions, including Harvard University, the University of Pennsylvania, and Dartmouth College, using similar Oracle EBS exploits. The attackers leveraged the complexity and legacy nature of ERP systems in the education sector, which are often difficult to patch and secure promptly.

The attack sequence involved initial access via exploitation of the Oracle EBS zero-day, system discovery and data collection, and exfiltration of sensitive information. The attackers then used their leak site to pressure the university into paying an extortion demand, a tactic consistent with previous Clop campaigns. The U.S. Department of State has offered a $10 million reward for information linking the Clop group’s attacks to a foreign government, underscoring the severity and geopolitical implications of the campaign.

The breach highlights the persistent threat posed by sophisticated cybercriminal groups targeting higher education and other sectors reliant on complex, third-party software solutions. The incident demonstrates the need for enhanced supply chain risk management, rapid vulnerability patching, and improved security monitoring to detect and respond to advanced threats.

Mitigation & Workarounds

Mitigation efforts following the breach have focused on restricting access to affected systems, reviewing exposed records, and notifying impacted individuals and regulatory authorities. The University of Phoenix has offered complimentary identity protection services, including a $1 million fraud reimbursement policy, 12 months of credit monitoring, identity theft recovery, and dark web monitoring.

To address the underlying vulnerability, organizations using Oracle E-Business Suite (EBS) should immediately apply security patches released by Oracle for CVE-2025-61882 and review system configurations to minimize exposure of public-facing applications. It is critical to implement robust monitoring and alerting for unauthorized access attempts, particularly on ERP and financial systems. Regular vulnerability assessments and penetration testing should be conducted to identify and remediate weaknesses in legacy and third-party software environments.

Organizations are advised to enhance supply chain risk management practices by maintaining an up-to-date inventory of third-party software, monitoring vendor security advisories, and establishing rapid patch management processes. Incident response plans should be reviewed and tested to ensure timely detection and containment of breaches. User awareness training should be reinforced to mitigate the risk of phishing and social engineering attacks, which have also been observed in recent campaigns targeting higher education institutions.

Critical recommendations include immediate patching of vulnerable Oracle EBS systems, implementation of multi-factor authentication for administrative access, and continuous monitoring for indicators of compromise associated with the Clop group and similar threat actors. High-priority actions involve reviewing access controls, segmenting sensitive data environments, and ensuring compliance with regulatory notification requirements.

References

https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/ https://cyberpress.org/university-of-phoenix-data-breach/ https://www.paubox.com/blog/university-of-phoenix-reports-data-breach-linked-to-oracle-ebs-zero-day https://fortiguard.fortinet.com/outbreak-alert/oracle-e-business-suite-rce https://attack.mitre.org/techniques/T1190/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and supply chain partners. Our platform enables continuous visibility into third-party software vulnerabilities, supports rapid incident response coordination, and facilitates compliance with regulatory requirements. For questions or further information, please contact us at ops@rescana.com.