The Washington Post has confirmed that it recently suffered a data breach linked to a concentrated threat campaign exploiting vulnerabilities in Oracle E-Business Suite applications.
This incident is part of a larger series of attacks attributed to the CL0P ransomware group, which has claimed over 40 victims. So far, four organizations have publicly acknowledged the breach: The Washington Post, Harvard University, Envoy Air (part of American Airlines), and Hitachi’s GlobalLogic.
The newspaper officially reported this breach in a filing submitted to the Maine Attorney General’s office on November 12.
Details of the Washington Post Data Breach
The timeline surrounding the data breach at The Washington Post was outlined in a letter from a legal firm representing the newspaper, addressed to Maine Attorney General Aaron Frey.
According to the letter, on September 29, The Post was contacted by a threat actor who claimed to have infiltrated its Oracle E-Business Suite applications. In response, the organization initiated an investigation into its Oracle application environment, enlisting cybersecurity experts to assist in the probe.
The investigation revealed that Oracle had identified a previously undisclosed and significant vulnerability in its E-Business Suite software. This loophole allowed unauthorized entities to access various customers’ applications. The findings confirmed that The Washington Post had been impacted by this exploit, revealing that unauthorized access had occurred between July 10 and August 22, 2025.
On October 27, the Post verified that personal information belonging to both current and former employees, as well as contractors, had been compromised. The type of data at risk varied by individual and could include names, bank account numbers and corresponding routing numbers, Social Security numbers, and tax identification numbers.
On November 12, the newspaper informed 31 residents in Maine about the incident. However, the total number of affected employees and contractors is estimated to be just shy of 10,000. To assist those impacted, The Post is offering complimentary identity protection services through IDX for individuals whose Social Security or tax ID numbers were part of the breach.
Widespread Impact of the CL0P Campaign
While only four organizations have confirmed being impacted by the Oracle cyberattack, the CL0P ransomware group claims to have a total of approximately 45 victims linked to this campaign, according to their dark web data leak site.
The range of alleged victims spans various industries, including major electronics firms, energy and utility providers, technology companies, manufacturers, healthcare organizations, educational institutions, insurers, banks, and many others. This extensive reach reflects the group’s strategic approach in concentrating attacks on specific vulnerabilities throughout their six-year history.
Notably, in February 2025, CL0P reported 267 victims, marking a significant spike in ransomware incidents during that period.
