University of Phoenix Data Breach Exposes Data of 3.5 Million People Featured
University of Phoenix confirms a 2025 data breach affecting nearly 3.5 million people after hackers exploited a zero-day Oracle E-Business Suite vulnerability. Social Security numbers and financial data may be impacted.
The University of Phoenix has confirmed a large-scale data breach that exposed sensitive personal and financial information belonging to nearly 3.5 million people. The incident affects current and former students, faculty, staff, and third-party vendors.
The breach stemmed from a cyberattack that went undetected for several months and was only discovered after the attackers publicly disclosed the intrusion.
What Happened?
According to the University of Phoenix, attackers gained unauthorized access to its network in August 2025 by exploiting a previously unknown (zero-day) vulnerability in Oracle E-Business Suite, a platform used to manage financial and administrative operations.
The intrusion remained undetected for more than three months. The university discovered the breach on November 21, 2025, after the attackers publicly listed the institution on a data-leak site. The incident was disclosed publicly in early December, and the university’s parent company filed a Form 8-K with regulators.
Cybersecurity researchers believe the attack aligns with tactics used by the Clop ransomware group, which is known for exploiting zero-day vulnerabilities to quietly steal data rather than encrypt systems.
The vulnerability exploited in this incident is tracked as CVE-2025-61882 and is believed to have been actively abused since early August.
How Many People Were Affected?
Notification letters submitted to state regulators show that approximately 3,489,274 individuals were impacted by the breach.
Affected individuals include:
- Current and former students
- University faculty and staff
- Contractors and service providers
What Information Was Exposed?
While the university has not released a full technical breakdown, breach notifications indicate the compromised data may include:
- Full names
- Mailing addresses and contact information
- Dates of birth
- Social Security numbers
- Bank account and routing numbers
The exposure of both identity and financial information significantly increases the risk of identity theft, fraud, and unauthorized account activity.
What Is the University Doing?
The University of Phoenix reports that it has:
- Secured affected systems and applied patches
- Retained third-party cybersecurity experts
- Notified affected individuals
- Offered complimentary credit monitoring and identity-protection services
The investigation remains ongoing.
Legal Rights & Class Action Investigation
Individuals affected by the University of Phoenix data breach may have legal rights under state and federal privacy laws.
When companies collect and store sensitive personal information, they have a duty to implement reasonable security measures. Data breaches involving Social Security numbers and financial data can expose affected individuals to years of identity theft risk, even if fraud has not yet occurred.
Law firms are investigating whether the University of Phoenix and its parent company failed to adequately safeguard personal data or respond appropriately to known cybersecurity risks. Impacted individuals may be eligible to participate in a class action lawsuit seeking compensation for:
- Out-of-pocket expenses
- Time spent mitigating identity theft risk
- Credit monitoring costs
- Increased risk of future fraud
Participation in an investigation typically involves no upfront cost, and affected individuals retain the right to explore their legal options.
Contact a Data Breach Lawyer
If you were affected by the University of Phoenix data breach, you may have legal rights and could be entitled to compensation. When sensitive personal and financial information is exposed, affected individuals often face an increased risk of identity theft, fraud, and long-term privacy harm.
By filling out the form on this page, you can request a free, confidential review of your situation. A data breach lawyer will contact you to explain your legal options and whether you may qualify to participate in a class action or other legal claim related to this incident.