The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025.

Founded in 1976 and headquartered in Phoenix, Arizona, UoPX is a private for-profit university with nearly 3,000 academic staff and over 100,000 enrolled students.

The university disclosed the data breach on its official website on Tuesday, while its parent company, Phoenix Education Partners, filed an 8-K form with the U.S. Securities and Exchange Commission (SEC).

UoPX said it detected the incident on November 21 (after the extortion group added it to its data leak site) and noted that the attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal a wide range of sensitive personal and financial information belonging to students, staff, and suppliers.

"We believe that the unauthorized third-party obtained certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers with respect to numerous current and former students, employees, faculty and suppliers was accessed without authorization," the school said.

"We continue to review the impacted data and will provide the required notifications to affected individuals and regulatory entities. Affected individuals will soon receive a letter via US Mail outlining the details of the incident and next steps to take."

Andrea Smiley, Vice President for Public Relations at University of Phoenix, told BleepingComputer that UoPX is "reviewing the impacted data and will provide the required notifications to affected individuals and regulatory entities." However, Smiley didn't share any further details about the breach, including which cybercrime operation was behind the attack or the total number of individuals affected.

​Although UoPX has yet to attribute the incident to a specific cybercrime group, based on the details shared so far, the breach is part of a Clop ransomware gang extortion campaign in which the gang has exploited a zero-day flaw (CVE-2025-61882) to steal sensitive documents from many victims' Oracle EBS platforms since early August 2025.

As part of the same series of data theft attacks, Clop has also targeted other universities in the United States, including Harvard University and the University of Pennsylvania, which have also confirmed Oracle EBS breaches impacting their students and staff.

The extortion group also compromised the Oracle EBS instances of dozens of companies worldwide, including GlobalLogic, Logitech, The Washington Post, and the American Airlines subsidiary Envoy Air, and leaked the stolen data on its dark web site.

In the past, Clop was also behind data theft campaigns targeting GoAnywhere MFT, Accellion FTA, Cleo, and MOVEit Transfer customers, the latter affecting more than 2,770 organizations.

Since late October, the systems of several U.S. universities have also been breached in a series of voice phishing attacks, with Harvard University, University of Pennsylvania, and Princeton University disclosing that the attackers breached systems used for development and alumni activities to steal the personal information of donors, staff, students, alumni, and faculty.

Update December 03, 10:16 EST: Added statement from University of Phoenix.