November 13, 2025 The Washington Post has confirmed that nearly 10,000 current and former employees and contractors had personal information stolen after attackers breached the newspaper’s Oracle E-Business Suite environment earlier this year.
In a filing with Maine’s attorney general, the Post said it was contacted on September 29 by an individual claiming to have accessed its Oracle system. An internal investigation later verified the intrusion and linked it to a previously unknown Oracle EBS vulnerability that has been exploited across multiple organizations worldwide.
The filing says attackers accessed the system between July 10 and August 22, stealing data that included names, bank account numbers, routing numbers, Social Security numbers and tax identification numbers. The Post determined the scope of the breach on October 27 and began notifying almost 10,000 affected individuals. Those whose Social Security numbers or tax IDs were taken have been offered identity-protection services.
The incident is part of a larger campaign attributed to the Clop ransomware group, which has posted alleged victims on its leak site. Confirmed disclosures so far include GlobalLogic, a Hitachi-owned engineering firm that reported more than 10,000 staff impacted, and Allianz UK. Researchers also expect more announcements in the coming weeks as organizations review their Oracle logs.
Estimates of the scale of the campaign vary widely. Some security analysts say “dozens” of companies have been affected, while others warn the total may exceed 100 based on the number of EBS environments seen communicating with attacker infrastructure.
Oracle acknowledged the flaw in late October when it issued emergency patches but has not said how many customers were affected or how long the bug had been exploited. Researchers believe the vulnerability may have been used at scale for several months.
