University of Phoenix says 'numerous individuals' impacted by Oracle EBS breach

The University of Phoenix became the latest U.S. educational institution to warn employees of a data breach involving a popular line of business software from Oracle.

The university’s parent company filed a notice with the Securities and Exchange Commission (SEC) on Tuesday evening saying “numerous individuals” tied to the organization had information accessed by hackers who breached the Oracle E-Business Suite software platform.

Two weeks ago, the private, for-profit school was listed on the leak site of a prominent Russian extortion group that allegedly breached dozens of organizations through a vulnerability in the Oracle platform, including Harvard University, Dartmouth College and the University of Pennsylvania. 

At the time, a University of Phoenix spokesperson told Recorded Future News that it was investigating the incident. 

In the SEC filing on Tuesday, the school said it detected the incident on November 21 and discovered that the hackers breached systems in August, gaining access to the names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers of an unstated number of people. 

“The Company is one of a number of organizations, including other academic institutions, from which an unauthorized third-party exfiltrated data by exploiting a previously unknown software vulnerability in Oracle EBS,” the university disclosed. 

Despite leak site posts by the cybercriminals responsible for the hack, the University of Phoenix  said the hackers have “not publicly disseminated the data.” The school did not respond to requests for comment about how many people were impacted by the incident.

The incident will not have a material impact on business operations because the parent company — Phoenix Education Partners, Inc. — has cybersecurity insurance that will cover incident response, investigations and remediation expenses, the school said.

Penn breach

The filing by the University of Phoenix was made one day after the University of Pennsylvania told regulators in multiple states that it also suffered a data breach through the same vulnerability in Oracle software. 

The school did not say how many people were affected overall but explained that it uses Oracle EBS to “process supplier payments, reimbursements, general ledger entries, and to conduct other university business.”

The school redacted the type of information stolen from the data breach notices submitted to California, Massachusetts, Vermont and Maine. Victims are being offered two years of identity protection services.  

The University of Pennsylvania said it is now “cooperating with an ongoing federal law enforcement investigation” into the Oracle EBS attacks. The FBI and Justice Department did not respond to requests for comment about potential investigations into the string of attacks involving Oracle EBS.

The Clop extortion group claims to have stolen information from hundreds of companies through the previously unknown bug in Oracle EBS. The group has made millions over the last six years by repeatedly targeting vulnerabilities in file transfer software. 

Carl Froggett, CIO of cybersecurity company Deep Instinct, noted that schools like the University of Phoenix, Penn, Harvard and Dartmouth run on sprawling ecosystems of third-party platforms. 

“Higher-education institutions were never built to function as full-scale cyber defense operations, yet they are expected to protect research, students, employees, and operational data from both known and unknown threats,” he said.  

“The attack surface is no longer just your environment; it is every environment you depend on."