📅 December 3, 2025 | ⏱ 7 min read | 🔐 Category: Data Breaches
The University of Phoenix has disclosed a data breach linked to exploitation of a zero-day vulnerability in Oracle’s E-Business Suite. The university says it detected the incident after its name appeared on a criminal leak site and has begun the notification process, while its parent, Phoenix Education Partners, reported the event in an SEC Form 8-K. With nearly 3,000 academic staff and more than 100,000 students, the school is among the largest for-profit institutions in the United States, and the affected system sits at the heart of financial and administrative operations.
In its notice, the university said attackers took advantage of a known flaw in the Oracle E-Business Suite financial application. The data at risk includes personal and financial details for current and former students, employees, faculty, and suppliers, such as names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers. Officials said they are analyzing the impacted data set and will send paper letters to affected individuals with next steps and available support.
While the school has not attributed the intrusion to a specific group, the timing and technical details match a broader extortion campaign widely associated with the Clop cybercrime operation. Since early August 2025, that crew has been exploiting a pre-authentication flaw tracked as CVE-2025-61882 to extract sensitive files from internet-exposed Oracle EBS instances. Other universities, including Harvard University and the University of Pennsylvania, have confirmed related breaches, and organizations far beyond higher education—among them GlobalLogic, Logitech, The Washington Post, and Envoy Air—have appeared on leak sites following similar compromises.
Oracle has acknowledged CVE-2025-61882 and issued a security alert and patches for supported EBS versions. Because the vulnerability allows remote, unauthenticated access, any instance reachable from the internet has faced elevated risk, and many victims were targeted before patches were available or fully deployed. The episode is consistent with Clop’s established playbook of rapidly weaponizing flaws in widely used enterprise platforms.
The higher education sector has been under sustained pressure on multiple fronts. Separate from the Oracle EBS incidents, several universities—including Harvard, the University of Pennsylvania, and Princeton—disclosed voice-phishing compromises in late October that affected alumni and development systems. Those intrusions relied on social engineering rather than a software exploit, but they underscore how attackers blend technical and human-focused tactics to reach valuable data.
Members of the University of Phoenix community should take practical steps now. Watch your physical mail for the university’s notification letter and follow the guidance it provides. Consider placing a credit freeze with Equifax, Experian, and TransUnion to block new credit in your name, or at minimum add a fraud alert if a freeze isn’t feasible. Turn on transaction alerts and review your bank and credit accounts regularly; if you spot suspicious activity, contact your financial institutions immediately and request new account numbers if needed. To reduce the risk of tax-related identity fraud, enroll for an IRS Identity Protection PIN. Be alert for phishing messages that reference the breach and verify any unusual request through known phone numbers or websites rather than clicking links. Update passwords for critical accounts and enable multi-factor authentication wherever possible.
Organizations running Oracle E-Business Suite should prioritize patching based on Oracle’s security guidance, then reduce exposure by removing EBS from direct internet access, gating it behind VPN and allowlists, and segmenting it from the rest of the network. It’s prudent to review web and application logs dating back to early August for unusual administrator activity, large data exports, or unexpected outbound transfers, followed by rotation of credentials, keys, and tokens connected to EBS and its integrations. Validated, offline backups and a clear incident response and communications plan will help meet legal and regulatory obligations if notification becomes necessary.
This breach matters because ERP platforms concentrate high-value HR, financial, and supplier data. Even without ransomware encryption, the theft of Social Security numbers and banking details can fuel identity and financial fraud for years, making swift remediation and long-term vigilance essential. Key questions still to be answered include how many people will ultimately receive notification, what support the university will offer, whether any University of Phoenix data is published by the threat actors, and how far the Oracle EBS campaign extends across education and industry.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
