Update from state AG: University data breach affects nearly 3.5 million people
The scale of a massive data breach at the University of Phoenix has been confirmed after a state attorney general's public release.
A new filing from the Maine Attorney General confirms that nearly 3.5 million people were affected by a major data breach at the University of Phoenix, exposing sensitive personal and financial information of students, faculty, staff, and vendors.
According to the university, the breach was discovered on November 21, 2025, and involved a targeted cyberattack on Oracle’s E-Business Suite software.
Hackers exploited a previously unknown vulnerability to access names, Social Security numbers, birthdates, and bank account information.
The breach began in August, months before it was detected.
While the university said it acted quickly and applied software patches as soon as they became available in October, the damage had already been done. Affected individuals began receiving mailed notifications on December 22, as required by state and federal law.
In total, 3,489,274 people were impacted nationwide, including over 9,100 Maine residents, according to a legal filing by the university’s attorneys.
The school has notified law enforcement and is offering all victims free identity protection through IDX, including credit monitoring, dark web scans, identity theft recovery, and up to $1 million in coverage.
The University of Phoenix stated the attack was similar to those seen at other institutions but declined to explain why the breach went undetected for over three months. Critics say the incident raises concerns about how universities safeguard sensitive data, particularly as reliance on third-party platforms grows.
