University of Phoenix Class Action Claims Data Breach Exposed 3.5M Students’ PII—What You Need to Know

A class action lawsuit filed in Texas federal court on January 9, 2026, alleges the University of Phoenix and Oracle Corporation failed to adequately protect the personal identifiable information (PII) of approximately 3.5 million current and former students in an August 2025 data breach that exposed Social Security numbers, financial information, dates of birth, and contact details. The lawsuit claims affected students may be eligible to participate in the class action or file claims for compensation and identity theft protection services.

The breach, discovered on November 21, 2025, compromised 3,489,274 individuals according to breach notifications filed with state attorneys general. Hackers exploited a zero-day vulnerability in Oracle’s E-Business Suite software between August 13-22, 2025, gaining unauthorized access to sensitive student data—yet the university didn’t notify affected individuals until one month after discovering the intrusion.

This Affects You If You’re a Current or Former University of Phoenix Student Whose Personal Information May Have Been Exposed

If you attended University of Phoenix at any time and had your information stored in their Oracle E-Business Suite systems, understanding this breach matters because your Social Security number, bank account details, and other sensitive data could now be in the hands of cybercriminals. The CL0P ransomware group has claimed responsibility and posted about the breach on the dark web, meaning your information may already be for sale to identity thieves.

What the University of Phoenix Data Breach Class Action Alleges

The University’s Alleged Security Failures

Plaintiff Tiaa Pointer claims the University of Phoenix and Oracle “failed to implement and maintain reasonable security measures” to protect students’ PII during the data breach. The lawsuit alleges the defendants did not use industry-standard cybersecurity protections including encryption for sensitive student data, multi-factor authentication to prevent unauthorized access, proper access controls limiting who could view student information, regular security audits and vulnerability assessments, and adequate incident response plans to quickly detect and contain breaches.

Pro Tip: Place a fraud alert on your credit reports immediately by contacting one of the three credit bureaus (Equifax, Experian, or TransUnion). The bureau you contact must notify the other two. This free service makes it harder for identity thieves to open accounts in your name and lasts one year. For stronger protection, consider a credit freeze, which prevents anyone from accessing your credit report without your permission.

The complaint alleges hackers exploited a “previously unknown software vulnerability” in Oracle’s E-Business Suite—a critical enterprise system used for managing administrative processes including financial data. This zero-day vulnerability existed between the time Oracle released software patches and the University’s discovery of the breach on November 21, 2025.

Delayed Notification Increased Risk

Pointer argues the University of Phoenix and Oracle failed to notify students that their PII had been accessed until one month after discovering the data breach. “Defendants’ failure to promptly notify Plaintiff and Class members that their PII was disclosed, accessed, and stolen virtually ensured that the unauthorized third parties who exploited those security lapses could monetize, misuse, or disseminate that PII before Plaintiff and Class members could take affirmative steps to protect their sensitive information,” the complaint states.

This delay violated data breach notification laws in multiple states requiring prompt notification when PII is compromised—typically within 30-90 days of discovery.

Legal Claims Against University of Phoenix

The lawsuit claims University of Phoenix and Oracle are guilty of negligence for failing to implement reasonable cybersecurity measures, breach of implied contract by not protecting student data they were entrusted to safeguard, unjust enrichment by profiting from student tuition while failing to properly secure their information, and violating the Illinois Consumer Fraud and Deceptive Business Practices Act.

The case is Pointer, et al. v. The University of Phoenix, Inc., et al., Case No. 1:26-cv-00009, in the U.S. District Court for the Western District of Texas.

What Personal Information Was Exposed in the Breach

Types of PII Compromised

While the University continues reviewing impacted data, it has confirmed the breach exposed names, Social Security numbers (the “master key” to your identity that can be used for fraudulent credit applications, tax return fraud, and obtaining government benefits), dates of birth which combined with SSNs enable comprehensive identity theft, contact information including home addresses, phone numbers, and email addresses, and bank account details including account numbers and routing numbers.

Not all 3.5 million students had all types of information exposed—the specific data compromised varies by individual. However, University of Phoenix has acknowledged that both current and former students, faculty, employees, and suppliers were affected.

Why This Data Is Dangerous

Social Security numbers cannot be changed like credit card numbers—you’re stuck with yours for life. This breach creates permanent identity theft risk. With your SSN and date of birth, criminals can open credit accounts, file fraudulent tax returns, obtain medical services in your name, gain employment using your identity, or commit educational fraud using your academic credentials.

The exposed bank account information could lead to unauthorized charges or account takeovers. Your contact information makes you a target for sophisticated phishing scams that appear legitimate because criminals have your actual details.

Who Qualifies for the University of Phoenix Class Action

Proposed Class Definition

The lawsuit seeks to represent all persons whose PII was exposed in the August 2025 University of Phoenix data breach. This likely includes current and former University of Phoenix students whose PII was stored in the Oracle E-Business Suite environment between August 13-22, 2025, individuals who attended University of Phoenix at any time if their information remained in university systems, faculty and staff whose data was compromised, and suppliers whose information was exposed.

The case was filed in January 2026, making this a very recent development. The court has not yet certified the class action, and no settlement has been reached. Class members typically don’t need to take action during initial lawsuit stages.

Current Case Status

If the court certifies the class and reaches a settlement, affected individuals would receive notice with instructions for filing claims. No claim forms are currently available, and no deadlines have been established.

Law firms are actively investigating the breach and seeking affected users to join potential class action litigation. Multiple firms have announced investigations focusing on whether University of Phoenix implemented “reasonable and adequate cybersecurity measures.”

What You Must Know to Protect Yourself

Common Misconceptions About Data Breach Class Actions

Misconception: I have to prove I was a victim of identity theft to participate. Reality: You can participate based on increased risk of identity theft even if fraud hasn’t occurred yet.

Misconception: The class action means I’ll get a huge payout. Reality: Data breach settlements typically provide modest per-person compensation plus credit monitoring services. Similar educational institution breaches have resulted in payouts ranging from $20-$160 per person for basic claims.

Misconception: I can’t participate because I graduated years ago. Reality: If your information was stored in University of Phoenix systems during the breach period, you likely qualify regardless of when you attended.

Misconception: University of Phoenix will notify me if I’m affected. Reality: Don’t rely solely on University notification. Proactively check if you attended during any period—your data may have been retained in their systems.

Immediate Steps If You Were Affected

Contact University of Phoenix’s dedicated call center at 833-353-7866 (Monday-Friday, 7am-7pm MT) to confirm whether your information was exposed and learn what free services they’re offering.

Enroll in the free credit monitoring and identity theft protection services University of Phoenix is providing to affected individuals—typically 12 months through a service like TransUnion.

Review your credit reports from all three bureaus at AnnualCreditReport.com for unauthorized accounts or inquiries. After a data breach, you’re entitled to additional free reports beyond the usual annual report.

Monitor your bank and credit card statements carefully for unauthorized charges. Set up account alerts to notify you of unusual activity.

File your tax return early to prevent tax refund fraud. Identity thieves often use stolen Social Security numbers to file fraudulent returns before victims can.

Change passwords for your University of Phoenix account and any other accounts where you used the same password. Enable multi-factor authentication wherever possible.

Long-Term Identity Theft Protection

Continue monitoring your credit reports for at least 3-5 years after the breach. Identity thieves sometimes wait months or years before using stolen information.

Consider identity theft protection services that monitor the dark web for your personal information appearing in criminal marketplaces.

If you discover fraud, file a report immediately with the Federal Trade Commission at IdentityTheft.gov. File a police report to help dispute fraudulent accounts.

Keep detailed records of all fraud-related communications and expenses. Document time spent addressing the breach at an hourly rate—you may be able to claim reimbursement in the class action settlement.

Monitor your Social Security Administration account at ssa.gov for unauthorized activity like name changes or benefit applications.

Frequently Asked Questions

What is the University of Phoenix data breach class action about?

The lawsuit alleges University of Phoenix and Oracle failed to implement adequate cybersecurity measures to protect student PII, allowing hackers to exploit a zero-day vulnerability in August 2025 and steal data from 3.5 million individuals. The case seeks compensation for negligence, breach of contract, and violations of consumer protection laws.

What personal information was exposed in the University of Phoenix breach?

The breach compromised names, Social Security numbers, dates of birth, contact information (addresses, phone numbers, emails), and bank account numbers with routing numbers. Not all affected individuals had all data types exposed—it varies by person.

Who qualifies for the University of Phoenix class action?

Current and former University of Phoenix students, faculty, staff, and suppliers whose PII was stored in the university’s Oracle E-Business Suite systems and exposed in the August 2025 breach. This includes anyone who attended at any time if their information remained in university databases.

How much money can I get from the University of Phoenix data breach settlement?

No settlement exists yet. Based on similar educational institution data breach settlements, compensation typically ranges from $20-$160 per person for basic claims, with higher amounts (up to several thousand dollars) for those who can document actual financial losses, identity theft, or fraud directly traceable to the breach.

When was the University of Phoenix data breach?

Hackers accessed University of Phoenix systems between August 13-22, 2025. The university discovered the breach on November 21, 2025, and began notifying affected individuals on December 22, 2025. The class action lawsuit was filed January 9, 2026.

Do I need to do anything right now?

Contact University of Phoenix at 833-353-7866 to confirm you’re affected and enroll in free credit monitoring. Place fraud alerts on your credit reports. Monitor your accounts for suspicious activity. Keep all documentation. The lawsuit is in early stages with no claim forms available yet—you’ll receive notice if a settlement is reached.

Can I sue University of Phoenix separately if I’m in the class action?

If you remain a class member, you typically give up the right to file individual lawsuits about the same breach. You can opt out when you receive notice to preserve your right to sue separately, but you won’t receive any settlement benefits.

Last Updated: January 14, 2026 — We keep this current with the latest legal developments.

Important Disclaimer: This article provides informational content about the University of Phoenix class action lawsuit alleging a data breach exposed 3.5 million students’ PII. This is not legal advice. Class action participation is voluntary. For specific legal questions about your situation or potential identity theft, consult a qualified attorney. AllAboutLawyer.com does not provide legal services.

Take Action: Place fraud alerts on your credit reports at Equifax.com, Experian.com, or TransUnion.com. File identity theft reports at IdentityTheft.gov if needed. Learn more about your rights at Nelnet Data Breach Class Action Lawsuit and TransUnion Data Breach.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah