Phoenix Education Partners (PXED) discloses Oracle EBS cyber breach exposing personal data

Rhea-AI Filing Summary

Phoenix Education Partners, Inc., parent of The University of Phoenix, reports a cybersecurity incident involving its Oracle E‑Business Suite platform. An unauthorized third party exploited a previously unknown Oracle vulnerability and, in August 2025, copied certain data from the Company’s Oracle EBS environment. The breach appears to have exposed personal information such as names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers for numerous individuals.

The incident was detected on November 21, 2025, after which the Company engaged third‑party cybersecurity firms, applied Oracle patches released in October 2025, and began notifying affected parties and regulators. The Company states that operations and student programming were not impacted and, as of this report, it believes the incident will not have a material adverse effect on its business operations or student programming. It expects to incur related expenses but notes that it maintains cybersecurity insurance that may cover incident response, remediation, regulatory, business interruption and legal costs, subject to deductibles, exclusions and limits.

Positive

• None.

Negative

• Material cybersecurity incident involving sensitive personal data, including Social Security and bank account details for numerous individuals, creating elevated legal, regulatory, and reputational risk despite unchanged operations.

Insights

Cybersecurity and risk analyst

PXED discloses a significant data breach with insured but uncertain financial and legal fallout.

Phoenix Education Partners reports that a previously unknown vulnerability in Oracle E‑Business Suite was exploited in August 2025 to copy data from its environment. Exposed information includes highly sensitive personal identifiers (Social Security and bank account numbers), which raises meaningful legal, compliance, and reputational risk, even though core business operations and student programming were not disrupted.

The Company detected the incident on November 21, 2025, engaged leading third‑party cybersecurity firms, and installed Oracle patches released in October 2025. Management currently believes the incident will not have a material adverse effect on business operations or student programming, but acknowledges it will incur incident‑related expenses and is still reviewing impacted data and regulatory notification obligations.

The Company maintains a comprehensive cybersecurity insurance policy that covers incident response, remediation, regulatory action, business interruption, and legal proceedings, subject to deductibles, exclusions, and limits. Actual financial impact will depend on the final scope of compromised data, potential regulatory inquiries or litigation, and the extent of recoveries under the policy as clarified in future SEC filings.

false 0001600222 0001600222 2025-12-02 2025-12-02 iso4217:USD xbrli:shares iso4217:USD xbrli:shares

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): December 2, 2025

Phoenix Education Partners, Inc.

(Exact name of Registrant as specified in its charter)

Delaware		001-42899		38-3922540
(State or Other Jurisdiction of Incorporation)		(Commission File Number)		(I.R.S. Employer Identification No.)

4035 S. Riverpoint Parkway Phoenix, AZ		85040
(Address of principal executive offices)		(Zip Code)

(800) 990-2765

(Registrant’s telephone number, including area code)

(Former Name or Former Address, if Changed Since Last Report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the Registrant under any of the following provisions:

☐	Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐	Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
☐	Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
☐	Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class		Trading Symbol(s)		Name of each exchange on which registered
Common Stock, par value $0.01 per share		PXED		New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§ 230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§ 240.12b-2 of this chapter).

Emerging growth company ☒

If an emerging growth company, indicate by check mark if the Registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 8.01 Other Events.

The University of Phoenix, Inc., a subsidiary of Phoenix Education Partners, Inc. (including the University, the “Company”), recently experienced a cybersecurity incident involving the Oracle E-Business Suite software platform (“Oracle EBS”). The Company is one of a number of organizations, including other academic institutions, from which an unauthorized third-party exfiltrated data by exploiting a previously unknown software vulnerability in Oracle EBS. The incident did not impact the business operations or student programming of the Company.

Upon detecting the incident on November 21, 2025, the Company promptly took steps to investigate and respond with the assistance of leading third-party cybersecurity firms. While the investigation remains ongoing, at this time, the Company believes that the software vulnerability was used in August 2025 to copy certain data maintained in the Company’s Oracle EBS environment. The Company promptly installed Oracle EBS software patches to remediate the vulnerability following their release in October 2025. The Company believes that certain personal information, including names and contact information, dates of birth, social security numbers, and bank account and routing numbers, with respect to numerous individuals was accessed without authorization. To the Company’s knowledge, the unauthorized third-party has not publicly disseminated the data. The Company is continuing to review the impacted data and will provide the required notifications to affected parties and applicable regulatory entities.

As of the date of this filing, the Company believes that the incident will not have a material adverse effect on its business operations or student programming. The Company continues to investigate the incident and will incur expenses in the fiscal year directly and indirectly related to the event. The Company maintains a comprehensive cybersecurity insurance policy, which covers costs associated with the incident response, investigatory and remediation expense, potential regulatory action, business interruption, and costs associated with investigating, defending, and resolving legal proceedings related to the incident, subject to deductibles, exclusions and limits.

Forward-Looking Statements

The information included in this Item 8.01 contains forward-looking statements within the meaning of U.S. Private Securities Litigation Reform Act of 1995, including, without limitation, statements regarding the extent and potential impact of the cybersecurity incident, the means by which the unauthorized third-party accessed the internal IT system, the nature of data that may have been copied, the notification of affected parties and applicable regulatory agencies, the potential effect on our financial condition and results of operations, and the expected cybersecurity insurance policy coverage. The forward-looking statements in this Form 8-K are subject to risks and uncertainties that could cause actual results and events to differ materially from those anticipated in these forward-looking statements.

Factors that might cause actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to, our ongoing assessment of the impacts of the cybersecurity incident, including the potential discovery of additional information related to the incident in connection with our ongoing investigation or otherwise; our ability to remediate the cybersecurity incident; the impact of the cybersecurity incident on our relationships with employers, employees, faculty, students and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from any potential regulatory inquiries and/or litigation to which we may become subject in connection with the incident; remediation and other additional costs that we may incur in connection with the investigation and remediation of the incident; and the risks and uncertainties discussed in our other periodic filings with the Securities and Exchange Commission (“SEC”), including our Annual Report on Form 10-K for the fiscal year ended August 31, 2025 and other Quarterly Reports on Form 10-Q and Current Reports on Form 8-K filed with the SEC, available at www.sec.gov, under the caption “Risk Factors” and elsewhere. The Company does not undertake any obligation to update any forward-looking statements to reflect new information or events or circumstances occurring after the date of this Form 8-K, except as may be required by applicable law.

2

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

	PHOENIX EDUCATION PARTNERS, INC.
Date: December 2, 2025	By:	/s/ Christopher Lynne
		Name:	Christopher Lynne
		Title:	Chief Executive Officer

3

FAQ

What cybersecurity incident did Phoenix Education Partners (PXED) disclose?

Phoenix Education Partners reported that an unauthorized third party exploited a previously unknown software vulnerability in its Oracle E‑Business Suite platform to copy data from its Oracle EBS environment in August 2025.

What types of personal data were exposed in PXEDs cybersecurity incident?

The Company believes certain personal information was accessed without authorization, including names and contact information, dates of birth, Social Security numbers, and bank account and routing numbers for numerous individuals.

Did the cybersecurity breach affect Phoenix Education Partners operations or student programming?

The Company states that the incident did not impact its business operations or student programming and, as of the report date, it believes the incident will not have a material adverse effect on those areas.

When did Phoenix Education Partners discover the Oracle EBS breach and how did it respond?

The Company detected the incident on November 21, 2025, promptly engaged leading third-party cybersecurity firms to investigate and respond, and installed Oracle EBS software patches released in October 2025 to remediate the vulnerability.

Does Phoenix Education Partners have cyber insurance for this incident?

Yes, the Company maintains a comprehensive cybersecurity insurance policy that covers incident response, investigatory and remediation expenses, potential regulatory action, business interruption, and costs of investigating, defending, and resolving legal proceedings, subject to deductibles, exclusions, and limits.

How is Phoenix Education Partners handling notifications related to the data breach?

The Company is reviewing the impacted data and will provide required notifications to affected individuals and applicable regulatory entities, in line with legal obligations.