Key Findings

• The Washington Post has notified nearly 10,000 current and former employees and contractors about a data breach that exposed their personal and financial information.

• The breach was linked to a zero-day vulnerability (CVE-2025-61884) in Oracle's E-Business Suite software, which was exploited by the Clop ransomware group between July 10 and August 22, 2025.

• The stolen data includes names, bank account numbers, routing numbers, Social Security numbers, and tax IDs.

• The Washington Post was first alerted to the breach in late September 2025 when a "bad actor" contacted the company, claiming access to its Oracle applications.

• An investigation confirmed the extent of the compromise, which the company disclosed to affected individuals in late October 2025.

• The Washington Post is offering 12 months of free identity protection to the affected individuals and advising them to freeze their credit files and enable fraud alerts.

Background

The Washington Post is a prominent American daily newspaper with approximately 2.5 million digital subscribers. The company's data breach is part of a larger campaign targeting Oracle E-Business Suite customers, which has also affected organizations like Envoy Air and GlobalLogic.

Oracle Vulnerability and Clop Ransomware Group

The Clop ransomware group exploited a previously unknown zero-day vulnerability (CVE-2025-61884) in Oracle's E-Business Suite software to gain unauthorized access to the systems of affected organizations, including the Washington Post. The group then stole sensitive data and attempted to extort the victims, threatening to publish the stolen information on their Tor data leak site.

The Washington Post's Response

The Washington Post was alerted to the breach in late September 2025 when a "bad actor" contacted the company, claiming access to its Oracle applications. The company launched an investigation, which confirmed the extent of the compromise by October 27, 2025.

The Washington Post has notified the affected individuals and is providing them with 12 months of free identity protection. The company is also advising the affected individuals to freeze their credit files and enable fraud alerts to protect themselves from potential identity theft and financial fraud.

Broader Impact and Confirmed Victims

The Oracle E-Business Suite vulnerability has affected multiple organizations, with at least 29 alleged victims listed on the Clop ransomware group's Tor data leak site. Confirmed victims include Harvard University, South Africa's Wits University, and American Airlines subsidiary Envoy Air.

The data breach has highlighted the importance of keeping software up-to-date and the need for robust security measures to protect against sophisticated cyber threats targeting vulnerable enterprise applications.

Sources

• https://securityaffairs.com/184596/data-breach/washington-post-notifies-10000-individuals-affected-in-oracle-linked-data-theft.html

• https://cyberscoop.com/washington-post-oracle-clop-attacks/

• https://www.reddit.com/r/pwnhub/comments/1owcv1n/washington_post_data_breach_exposes_nearly_10000/