Breach at University of Phoenix exposed data of 3.5 million people
Alex Lekander
December 22, 2025
The University of Phoenix has confirmed that a cybersecurity breach resulting from the exploitation of a zero-day vulnerability in Oracle’s E-Business Suite (EBS) affects 3,489,274 individuals.
The compromised data includes sensitive personal and financial information, and the university has now begun notifying affected individuals.
The breach was discovered on November 21, 2025, when the University of Phoenix identified suspicious activity in its Oracle EBS environment. The institution immediately engaged third-party cybersecurity experts and launched an investigation. Three days later, on November 24, it was confirmed that attackers had exploited a then-unknown Oracle EBS flaw to exfiltrate data over a ten-day period between August 13 and 22, 2025.
Oracle’s EBS is a widely used enterprise resource planning (ERP) platform that handles business functions such as HR, finance, and procurement. The University of Phoenix relied on this software for internal operations, and the breach did not disrupt its academic programs. However, the incident resulted in the unauthorized extraction of names, dates of birth, Social Security numbers, and bank account and routing numbers, though not credentials to access those accounts.
