Clop Ransomware Gang Steals 3.5 Million Records from University of Phoenix

The University of Phoenix has begun notifying 3.5 million people that their personal information was stolen in a data breach traced to the Clop ransomware group. The attack exploited a zero-day vulnerability in Oracle E-Business Suite, making the university one of the largest known victims in Clop's ongoing campaign against Oracle EBS users.

TL;DR

• What happened: Clop exploited CVE-2025-61882 in Oracle EBS to steal 3.5 million records from University of Phoenix
• Who's affected: Current and former students, employees, faculty, and suppliers
• Severity: Critical—SSNs and bank account numbers exposed
• Action required: Affected individuals should enroll in the free IDX monitoring by March 22, 2026

What Data Was Stolen?

The breach occurred between August 13 and August 22, 2025, though the university didn't detect it until November 21—three months later. The stolen data includes:

• Full names
• Dates of birth
• Social Security numbers
• Bank account and routing numbers

This combination gives attackers everything needed for identity theft and financial fraud. The presence of banking information suggests payroll or financial aid systems were compromised.

How Did Clop Get In?

Clop exploited CVE-2025-61882, a zero-day vulnerability in Oracle E-Business Suite that the group has weaponized across dozens of organizations. Oracle EBS is enterprise software used for financial management, HR, and supply chain operations—exactly the kind of system that stores sensitive personal and financial data.

The university only learned of the compromise after Clop listed it on the group's dark web leak site. Detection came not from internal security monitoring but from external threat intelligence.

Clop's Oracle EBS Campaign

University of Phoenix joins a growing list of CVE-2025-61882 victims. Other confirmed targets include:

• Harvard University
• University of Pennsylvania
• Medical device manufacturer Abbott
• American Airlines subsidiary Envoy Air
• Broadcom
• Cox Enterprises
• Schneider Electric
• Britain's National Health Service
• Oracle itself

Clop specializes in exploiting vulnerabilities in widely-deployed enterprise software. The group previously gained notoriety through mass exploitation of MOVEit, GoAnywhere, and Accellion file transfer platforms. Their shift to Oracle EBS follows the same playbook: find a zero-day, exploit it at scale, and extract data for extortion.

Scale of the Breach

According to Comparitech's Rebecca Moody, this ranks as the fourth-largest ransomware attack of 2025 by number of records affected. The three-month gap between data theft and detection gave Clop ample time to exfiltrate and catalog stolen information.

For a for-profit educational institution that has served millions of students over its history, the exposure extends across decades of enrollment records. Former students who attended years ago may find their information compromised.

What the University Is Offering

The University of Phoenix is providing affected individuals 12 months of identity protection services through IDX:

• Credit monitoring at all three bureaus
• Dark web surveillance
• $1 million identity fraud reimbursement policy
• Fully managed identity recovery support

Enrollment deadline: March 22, 2026.

Notification letters began going out December 22 with instructions for activating these services.

Why This Matters

Educational institutions hold particularly sensitive data. Beyond the obvious—SSNs and financial information—they maintain years of personal history: addresses, emergency contacts, academic records, sometimes health information. A breach of this scale provides attackers with enough biographical detail to craft convincing social engineering attacks or bypass knowledge-based authentication questions.

The three-month detection gap also highlights ongoing struggles with breach discovery. Organizations continue to learn about compromises from external parties—often the attackers themselves—rather than their own monitoring systems.

Frequently Asked Questions

How do I know if I'm affected?

If you've ever been a student, employee, faculty member, or supplier of the University of Phoenix, you may be affected. The university is mailing notification letters to confirmed victims. You can also contact their dedicated response line.

What should I do first?

Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately. This prevents anyone from opening new accounts in your name. The freeze is free and can be lifted temporarily when you need to apply for credit.

Should I enroll in the free monitoring?

Yes. While credit freezes provide the strongest protection against new account fraud, monitoring services can alert you to misuse of existing accounts and dark web activity involving your data. The $1 million reimbursement policy provides additional protection if fraud does occur.