The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August.

Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with over 100,000 enrolled students and nearly 3,000 academic staff.

In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC).

UoPX said it detected the breach on November 21 (after Clop added it to its data leak site), noting that the attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal sensitive personal and financial information belonging to staff, suppliers, and current and former students.

"We believe that the unauthorized third-party obtained certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers with respect to numerous current and former students, employees, faculty and suppliers was accessed without authorization," the school stated.

Andrea Smiley, the university's Vice President for Public Relations, told BleepingComputer at the time that UoPX was "reviewing the impacted data and will provide the required notifications to affected individuals and regulatory entities."

On Monday, the school revealed in notification letters filed with the office of Maine's Attorney General and mailed to those whose data were stolen in the attack that the data breach affects 3,489,274 individuals.

UoPX now offers free identity protection services, including a $1 million fraud reimbursement policy, 12 months of credit monitoring, identity theft recovery, and dark web monitoring.

​While the school has yet to attribute the breach, based on the details shared so far, the attack is part of a Clop extortion campaign in which the ransomware gang exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal data from many victims' Oracle EBS platforms.

Clop has also targeted other U.S. universities in the same series of data theft attacks, including Harvard University and the University of Pennsylvania, which also confirmed Oracle EBS breaches impacting their staff and students.

Clop has been behind multiple data theft campaigns in the past, targeting GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and, most recently, Gladinet CentreStack customers.

The U.S. Department of State now offers a $10 million reward for information linking the cybercrime gang's attacks to a foreign government.

Since late October, several other U.S. universities have also been breached in voice phishing attacks, with Harvard University, the University of Pennsylvania, and Princeton University disclosing that systems used for development and alumni activities were compromised to steal the personal information of donors, students, alumni, staff, and faculty.