About University of Phoenix, Inc.
The University of Phoenix, Inc., an educational institution based in Phoenix, Arizona, has reported a significant data breach. This breach impacted over three million individuals, including 9,131 residents of Maine. The breach occurred due to an external hacking incident, compromising sensitive personal information. The breach was initially detected on November 21, 2025, and involved unauthorized access to their Oracle E-Business Suite.
What Happened
On November 21, 2025, we learned that an Oracle E-Business Suite (“Oracle EBS”) software vulnerability may have resulted in a cybersecurity incident. Upon detecting the incident we promptly took steps to investigate and respond with the assistance of leading third-party cybersecurity firms. We determined that, like many other organizations, including other colleges and universities, an unauthorized third-party exploited a previously unknown software vulnerability in Oracle EBS to exfiltrate certain data from within the University’s Oracle EBS environment. This occurred between August 13 and 22, 2025.
The breach was discovered on November 21, 2025, affecting 3,489,274 individuals. Those affected include students and staff whose personal identifiers, such as names, social security numbers, and bank details, were compromised.
Next Steps
Affected individuals are advised to stay vigilant by reviewing their account statements and credit reports for any suspicious activity. It is crucial to report any signs of fraud to the relevant financial institutions and law enforcement authorities. The University of Phoenix is notifying affected individuals via written communication and providing resources to help protect their personal information. They have also established a toll-free call center to address any concerns related to the breach.
Identity Theft Protection Services
The University of Phoenix is offering complimentary identity protection services to those impacted by the breach. These services include 12 months of credit monitoring, dark web monitoring, and a $1 million identity fraud loss reimbursement policy. Additionally, impacted individuals will receive fully managed identity theft recovery services. Affected parties are encouraged to enroll in these services by the deadline of March 22, 2026, to ensure their personal information remains protected.