Phoenix University data breach exposes another 3.4M victims of Cl0p Oracle hacks
The University of Phoenix has begun notifying 3.5 million individuals that their personal information, including Social Security numbers, was exposed in a massive data breach carried out by the Cl0p ransomware gang this past August.
The Arizona-based university filed a breach notification (and a sample letter) with the Maine Attorney General's Office earlier this week.
The letter, which will be sent out this week to exactly 3,489,274 individuals, says the August cybersecurity incident was the result of a malicious attack on the school's Oracle E-Business Suite (EBS).
Oracle EBS is the software suite exploited by the Cl0p ransomware gang in a campaign researchers believe likely began in early July, targeting hundreds of organizations and sectors.
"According to our data, this is the fourth-largest ransomware attack in the world this year (based on records affected), said Rebecca Moody, Head of Data Research at Comparitech.
Moody tells Cybernews the breach highlights not just the ongoing ransomware threat companies face on their own systems, but “attacks on third parties like Oracle often give hackers access to a multitude of companies, and their data, via one central source.”
“Clop is now rumored to be exploiting a new vulnerability through another software company, Gladinet CentreStack,” Moody said, predicting “even more devastating data breaches to continue well into 2026."
What data was compromised?
The Cl0p hacking campaign leveraged a previously unknown zero-day flaw in the Oracle software, and although the attacks are believed to have begun over the summer, the fallout has continued to this day, with new victims being identified almost weekly.
Oracle's E-Business Suite of applications allows clients to manage customers, suppliers, manufacturing, logistics, and other business processes.
Phoenix University was initially placed on Cl0p’s official dark leak blog on November 21st.
Founded in 1976, the strictly online adult university enrolls over 200,000 students every year and offers certificates, associate, bachelor's, master's, and doctoral degrees in over a dozen majors, according to its website.
University officials announced on November 24th that, after immediately bringing in outside cybersecurity experts, ”an unauthorized third-party had exfiltrated certain data from within the University of Phoenix’s Oracle EBS environment between August 13 and 22, 2025.”
The school says the compromised information may have included “your name” and other “impacted data elements,” such as “your Social Security number.”
“We also implemented measures to enhance security and minimize the risk of a similar incident occurring in the future,” Phoenix University wrote in the letter.
The notification letter also offers complimentary identity protection services, including 12 months of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and fully managed identity theft recovery services.
Third-party breaches continue to plague education sector
The Cl0p ransomware gang, operating since at least 2020, is no stranger to major extortion with past campaigns exploiting file transfer programs MOVEit, Fortra GoAnywhere, and Cleo.
The Russian-linked group has compromised hundreds of major organizations over the years, often taunting its victims and raking in hundreds of millions of dollars.
"This breach underscores a troubling pattern we’ve seen throughout 2025: threat actors like Clop continuing to weaponize zero-day vulnerabilities and mass data exfiltration campaigns against large, centralized educational platforms with insufficient segmentation between student, staff, and supplier data,” said Ensar Seker, CISO of SOCRadar.
Seker explains that universities remain attractive targets due to sprawling digital ecosystems and a mix of legacy and cloud infrastructure.
In fact, multiple breaches at high-profile universities have occurred in the last few months, including several Ivy League schools such as Princeton, Columbia, and the University of Pennsylvania (UPenn).
Curious what others think about this story? Contribute your thoughts to the debate below.
In fact, the UPenn databases accessed by Cl0p via Oracle EBS in November are likely to have contained personal details of Jeff Bezos, Michelle Obama, Pete Hegseth, and several US Supreme Court Justices.
In December, hackers also claimed the prestigious Sorbonne Université in Paris, for the second breach this year, claiming to have stolen employee banking details, salary data, IDs, and other sensitive information.
The attackers exploit these complexities, “often entering through third-party vendors or outdated portals to move laterally across systems before exfiltrating millions of records,” said Seker, suggesting school networks’ “minimal micro-segmentation or inadequate identity and access management (IAM) protocols.”
Seker further explains that Clop’s playbook is not new. “They’ve repeatedly exploited MOVEit and other file transfer software to compromise vast amounts of sensitive data.”
“In this case, the potential inclusion of personal data from students and faculty introduces FERPA, HIPAA, and contractual risk dimensions for the University of Phoenix,” he said.
Unlock more exclusive Cybernews content on YouTube.
