The Washington Post is notifying nearly 10,000 employees and contractors that their personal and financial data was exposed following a data theft attack involving Oracle software.
The breach occurred between July 10 and August 22, when threat actors accessed parts of the news organization's internal network. They exploited a then zero day vulnerability in the Oracle E Business Suite software, a widely used platform for HR, finance, and supply chain functions.
Breach and Extortion Attempt
On September 29, 2025, The Post was contacted by the malicious actor, who claimed to have gained access to its Oracle E Business Suite applications. While investigating the incident with expert assistance, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E Business Suite software. This flaw permitted unauthorized access across many Oracle customers.
Although the attackers are not named in the notification letter, the Clop ransomware group has been linked to similar attacks, exploiting the zero day flaw now tracked as CVE-2025-61884. Other major victims breached using the same vulnerability include Harvard University and American Airlines subsidiary Envoy Air.
Compromised Data
The Post's investigation concluded on October 27, confirming that 9,720 individuals had their data compromised. The following sensitive information was stolen:
- Full names
- Social Security numbers (SSNs)
- Bank account numbers and routing numbers
- Tax and ID numbers
Impacted employees and contractors are being offered a 12 month free identity protection service and are strongly advised to place a security freeze on their credit files.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
