The Washington Post has confirmed that it was breached by a threat campaign targeting Oracle E-Business Suite vulnerabilities.
The Washington Post data breach is one of more than 40 victims claimed by the CL0P ransomware group in a campaign that is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, but so far only four of the victims have confirmed that they were breached: The Post, Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic.
The Post confirmed the data breach in a Nov. 12 filing with the Maine Attorney General’s office.
Washington Post Data Breach Detailed in Letter
The Washington Post data breach timeline was detailed in a letter from a law firm representing the newspaper to Maine Attorney General Aaron Frey.
The letter states that on September 29, The Post “was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications.”
The Post letter said the company subsequently launched an investigation of its Oracle application environment with the help of experts.
“During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ E-Business Suite applications,” The Post’s letter states. “The Post’s investigation confirmed that it was impacted by this exploit and determined that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorization.”
On October 27, 2025, The Post “confirmed that certain personal information belonging to current and former employees and contractors was affected by this incident. The affected information varies by individual but may include individuals’ names, bank account numbers and associated routing numbers, Social Security numbers, and/or tax ID numbers.”
On November 12, The Post said it notified 31 Maine residents of the incident, but the total number of affected employees and contractors is believed to total just under 10,000. The Post said it has offered complimentary identity protection services through IDX to individuals whose Social Security numbers or tax ID numbers were exposed in the breach.
CL0P Oracle Victims Number More Than 40
While only four victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed roughly 45 victims to date from the campaign on its dark web data leak site.
Alleged victims claimed by CL0P have included major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other industries and sectors.
CL0P has tended to cluster victims in campaigns targeting specific vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.
