The University of Phoenix said it discovered a data breach after being added to a criminal data leak site and disclosed the incident on its website. The university’s parent company filed an 8-K form with the U.S. Securities and Exchange Commission and posted information about the incident on its media page.
The university said it detected the incident on Nov. 21 and that attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to access sensitive records. The school said a wide range of personal and financial information belonging to students, staff and suppliers was taken.
Data the university said may have been accessed includes names and contact information, dates of birth, social security numbers, and bank account and routing numbers for numerous current and former students, employees, faculty and suppliers. The university said it will provide required notifications to affected individuals and regulatory entities and that impacted individuals will receive a letter by U.S. mail outlining next steps.
A university spokesperson did not respond to requests for additional details, and the institution has not publicly identified the attackers or disclosed the total number of people affected.
The incident aligns with a wider campaign that has targeted Oracle EBS instances since early August 2025 and has affected other U.S. universities and dozens of companies worldwide. Reported victims have included major universities and organizations as well as firms such as GlobalLogic, Logitech, The Washington Post and the American Airlines subsidiary Envoy Air. The actor associated with these campaigns has previously targeted other software platforms including GoAnywhere MFT, Accellion FTA, Cleo and MOVEit Transfer; the MOVEit incidents affected more than 2,770 organizations.
Investigations remain ongoing. The university said it is reviewing impacted data, will notify affected individuals and regulators as required, and that it will provide further information as it becomes available.