Breach taxonomy
Summary
In August 2025, an unauthorized third party exploited a previously unknown vulnerability in Oracle E-Business Suite (Oracle EBS) software to exfiltrate data from the University of Phoenix, a subsidiary of Phoenix Education Partners. The incident was detected on November 21, 2025. Personal information including names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers of numerous individuals was accessed without authorization. The company promptly installed Oracle EBS patches released in October 2025 and engaged third-party cybersecurity firms. Business operations and student programming were not impacted. The company maintains a comprehensive cybersecurity insurance policy covering incident response costs. Filed under Item 8.01; company does not believe the incident will have a material adverse effect.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor, referring only to 'an unauthorized third-party' → UNKNOWN.
MethodsData ExfilApp Exploit
An unauthorized third-party exploited a previously unknown software vulnerability (zero-day) in Oracle EBS to copy and exfiltrate data → DATA-EXFIL + APP-EXPLOIT.
AssetsPersonal Data
Filing discloses that names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers of numerous individuals were accessed without authorization → PERSONAL-DATA.
EffectsInfo Privacy Loss
Highly sensitive PII including SSNs and bank account numbers was accessed without authorization, with no operational disruption reported → INFO-PRIVACY-LOSS.
Business continuityNot Required
Filing explicitly states the incident did not impact business operations or student programming → Not Required.
Impact
Highly sensitive PII (SSNs, bank account numbers) of numerous individuals was exfiltrated via a zero-day exploit in Oracle EBS, affecting a major university; while operations were unaffected, the sensitivity of data exposed warrants a score of 3.
InsuranceYes
Filing states 'The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits' → true.
Read the original SEC filing excerpt
Item 8.01 Other Events. The University of Phoenix, Inc., a subsidiary of Phoenix Education Partners, Inc. (including the University, the Company), recently experienced a cybersecurity incident involving the Oracle E-Business Suite software platform (Oracle EBS). The Company is one of a number of organizations, including other academic institutions, from which an unauthorized third-party exfiltrated data by exploiting a previously unknown software vulnerability in Oracle EBS. The incident did not impact the business operations or student programming of the Company. Upon detecting the incident on November 21, 2025, the Company promptly took steps to investigate and respond with the assistance of leading third-party cybersecurity firms. While the investigation remains ongoing, at this time, the Company believes that the software vulnerability was used in August 2025 to copy certain data maintained in the Company's Oracle EBS environment. The Company promptly installed Oracle EBS software patches to remediate the vulnerability following their release in October 2025. The Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers, with respect to numerous individuals was accessed without authorization. To the Company's knowledge, the unauthorized third-party has not publicly disseminated the data. The Company is continuing to review the impacted data and will provide the required notifications to affected parties and applicable regulatory entities. As of the date of this filing, the Company believes that the incident will not have a material adverse effect on its business operations or student programming. The Company continues to investigate the incident and will incur expenses in the fiscal year directly and indirectly related to the event. The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits.