A previously unknown vulnerability in Oracle's E-Business Suite has enabled unauthorized access to sensitive data held by The Washington Post, compromising the personal information of 9,720 current and former employees and contractors.
The breach, which spanned over a month in the summer of 2025, remained undetected until late October.
While the Post has not confirmed attribution, the timing, method, and software involved align closely with a broader campaign linked to the Clop ransomware gang.
The incident came to light on September 29, 2025, when The Washington Post was contacted by an unnamed threat actor claiming to have breached the organization's Oracle E-Business Suite applications. In response, the media giant launched a forensic investigation, which uncovered unauthorized access between July 10 and August 22, 2025. The intrusion exploited a zero-day vulnerability in Oracle's software that had not been patched at the time of the attack.
During the investigation, Oracle confirmed the existence of the flaw and acknowledged it had affected multiple customers, not just The Washington Post. Oracle later issued patches to remediate the issue, which were promptly applied by the Post. The attackers were able to access data containing names, Social Security numbers, bank account and routing numbers, and tax ID numbers.
Clop, a financially motivated cybercrime group with a long history of targeting enterprise software platforms, has been actively exploiting a zero-day in Oracle EBS (CVE-2025-61882) since at least August 2025. The flaw, which received a CVSS score of 9.8, allows unauthenticated remote code execution via the BI Publisher integration component and affects EBS versions 12.2.3 through 12.2.14. Oracle released a patch on October 4, 2025, days before The Washington Post publicly confirmed the breach.
The Washington Post, headquartered in Washington, D.C., is one of the largest and most influential newspapers in the United States. While known primarily for its journalism, the organization also operates complex internal systems to manage its sizable workforce and contractor base. The compromised Oracle E-Business Suite is a widely used enterprise resource planning (ERP) platform that supports HR, financials, and supply chain functions for large organizations.
The breach was confirmed on October 27, 2025, following the completion of the internal investigation and data review. Affected individuals were formally notified on November 12, 2025.
The Washington Post is now offering 12 months of complimentary identity protection services through IDX to individuals whose Social Security or tax ID numbers were involved. Recipients were provided with enrollment details and advised to remain vigilant for potential fraud.
Leave a Reply