In a dramatic cybersecurity twist worthy of a newsroom thriller, The Washington Post โ one of Americaโs most influential newspapers โ has confirmed a major data breach that exposed the personal and financial information of nearly 10,000 employees and contractors after hackers quietly exploited its internal systems for more than a month.
The attack, believed to be linked to the Clop ransomware group, is part of a previously unknown zero-day vulnerability in Oracleโs widely used E-Business Suite, a platform deeply embedded in The Postโs HR and financial operations. The flaw remained invisible to both Oracle and its customers until cybercriminals began extorting from victims across multiple industries.
An Intrusion That Began Long Before Discovery
According to aย data breach notification filed by The Post in Maine, the intrusion quietly took place between July 10 and August 22, 2025, as attackers leveraged a then-unknown zero-day vulnerability in Oracleโs enterprise resource planning (ERP) platform โ a software commonly used for HR, finance, and supply chain systems for large organizations.
The breach only came to light on September 29, when the newspaper received a message from a โbad actorโ claiming to have gained access to its Oracle E-Business Suite applications. This triggered a full forensic investigation, conducted with external experts.
While the inquiry was underway, Oracle confirmed the flaw, revealing that it had discovered a zero-day vulnerability affecting many customers. The company issued a security patch on October 4, 2025, but by then, attackers had already siphoned off valuable information from their data-theft operations.
Clop Ransomware Group Suspected
While The Washington Post did not directly name the attackers, multiple indicators point to Clop, a ransomware gang known for mass exploitation of enterprise software platforms. The gang has already mounted similar attacks against organizations, including Envoy Air, Hitachiโs GlobalLogic, Harvard University, and others, posting victimsโ names on a dark-web leak site.
According to security researchers, Clop exploited multiple Oracle vulnerabilities, including the zero-day now tracked as CVE-2025-61882 / 61884, to steal large volumes of sensitive data before demanding ransoms that soared as high as $50 million.
Nearly 10,000 People Impacted
The Post confirmed the breach on October 27, 2025, revealing that attackers stole sensitive personal information of 9,720 current and former employees and contractors, which included:
- Full names
- Bank account numbers
- Routing numbers
- Social Security numbers
- Tax ID numbers
This type of data is considered high-risk for identity theft, financial fraud, and phishing attacks. Affected individuals have been offered 12 months of free identity protection through IDX, along with recommendations to place a security freeze on their credit reports and fraud alerts.
A Cyberstorm That Keeps Growing
The attack places The Washington Post among a rapidly growing list of high-profile organizations hit by the Oracle E-Business Suite zero-day โ a campaign that has dominated cybersecurity and enterprise IT headlines for weeks.
As companies continue digging through their logs, experts warn that more victims are likely to surface, especially those running older or unpatched versions of Oracle EBS. With thousands already affected and additional disclosures expected, the Oracle EBS exploitation has quickly become one of 2025โs most significant enterprise data breaches.
