The IT Nerd

The University of Phoenix has today begun notifying over 3.4 million individuals that their data was stolen in a hack by the notorious ransomware gang known as Cl0p. Yeah. That Cl0p. Clearly they’ve been busy this year by being naughty and not nice.

Rebecca Moody, Head of Data Research at Comparitech had this to say:

“According to our data, this is the fourth-largest ransomware attack in the world this year (based on records affected). It highlights the ongoing threat that companies face via ransomware — and not just via attacks on their own systems. Attacks on third parties like Oracle often give hackers access to a multitude of companies (and their data) via one central source. And as Clop is now rumored to be exploiting a new vulnerability through another software company (Gladinet CentreStack), its devastating data breaches look set to continue well into 2026.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this:

“Clop has been on a rampage this year, targeting zero-day vulnerabilities in software used by large enterprises. Specifically, it targets Oracle’s E-Business Suite and the Cleo file transfer software. This attack on the University of Phoenix is most likely related to the former.

According to our research, Clop has claimed the third-most data breaches of any ransomware gang in 2025.”

See: https://www.comparitech.com/news/ransomware-roundup-november-2025/

Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:

“This is just the latest data breach of US universities, with Harvard University, the University of Pennsylvania, and Princeton University having been compromised by hackers, who stole the personal information of donors, students, alumni, staff, and faculty. We will surely see this trend continue, as bad actors around the world look to increase the size of their data cache from US educational institutions.

I would urge any individuals affected by this breach to take advantage of the university’s offer of free identity protection services, fraud reimbursement policy, one year of credit monitoring, identity theft recovery, and dark web monitoring. This will give them a leg up in detecting if bad actors are attempting to use the data gathered from the breach for nefarious purposes, as the information stolen includes dates of birth, social security numbers, and bank account and routing numbers.”

Finally, Ensar Seker, CISO of SOCRadar had this to say: 

“This breach underscores a troubling pattern we’ve seen throughout 2025: threat actors like Clop continuing to weaponize zero-day vulnerabilities and mass data exfiltration campaigns against large, centralized educational platforms with insufficient segmentation between student, staff, and supplier data.

Universities remain attractive targets due to sprawling digital ecosystems and a mix of legacy and cloud infrastructure. Attackers exploit these complexities often entering through third-party vendors or outdated portals—and move laterally across systems before exfiltrating millions of records. The fact that Clop accessed data tied to nearly 3.5 million individuals suggests minimal micro-segmentation or inadequate identity and access management (IAM) protocols.

Clop’s playbook is not new. They’ve repeatedly exploited MOVEit and other file transfer software to compromise vast amounts of sensitive data. Their ransomware operations are increasingly interwoven with pure data theft and extortion, leveraging leak sites and public shaming campaigns to pressure victims. In this case, the potential inclusion of personal data from students and faculty introduces FERPA, HIPAA, and contractual risk dimensions for University of Phoenix.

Given the scale and societal impact of this attack, it’s time for educational institutions to be held to the same cybersecurity standards as critical infrastructure. That includes mandatory vendor security assessments, data minimization strategies, and endpoint telemetry across hybrid environments. Breaches like this are not just IT issues,they’re national resilience risks when millions of PII records are involved.

Transparent forensic reporting, mass notification procedures, and proactive credit monitoring must be prioritized. From a policy standpoint, it’s time for federal regulators to reevaluate breach notification thresholds and introduce industry-wide frameworks tailored for academia.”

While Cl0p isn’t the only ransomware gang out there, they’ve clearly been busy. Which doesn’t bode well for any of us in 2026.