Oracle attacks: Washington Post confirms data breach, NHS investigating

Oracle's E-Business Suite had a hidden vulnerability

Futuristic background with hexagon shell and hole with binary code and opened lock. Hacker attack and data breach. Big data with encrypted computer code. Safe your data. Cyber internet security and privacy concept. 3d illustration

The Washington Post is one of several high-profile organisations to be affected by a vulnerability in Oracle’s E-Business Suite.

The Post says a major data breach has exposed sensitive personal information belonging to nearly 10,000 current and former employees and contractors, following a targeted cyberattack linked to the Clop ransomware group.

The Washington Post is one of the largest daily newspapers in the United States, with approximately 2.5 million digital subscribers.

According to a filing with the Maine attorney general, a threat actor contacted the outlet on 29th September claiming to have gained unauthorised access to the company's Oracle E-Business Suite (EBS) environment.

Oracle EBS is a widely deployed ERP system large organisations use to manage HR, finance and supply chain operations.

Investigations revealed that the actor(s) had infiltrated portions of the Post's network between 10th July and 22nd August by exploiting a zero-day vulnerability, now tracked as CVE-2025-61884, in Oracle EBS.

The vulnerability was unknown at the time of the intrusion.

Oracle privately alerted customers to the flaw and later issued emergency security patches in late October, which the Post said it applied immediately.

After stealing data, the attackers attempted to extort the newspaper in late September: a hallmark of the Clop ransomware gang, which has targeted major corporations worldwide using the same vulnerability.

Though the Post's notification letter does not explicitly name Clop, the ransomware group publicly claimed responsibility on its leak site on Thursday, accusing the organisation of "ignoring their security."

Google and independent researchers have previously warned that Clop has been exploiting multiple Oracle EBS vulnerabilities at scale, breaching organisations across industries.

Confirmed victims of the same EBS flaw include Harvard University, Envoy Air (a subsidiary of American Airlines) and Hitachi's GlobalLogic, with many more listed on Clop's leak site.

Personal information stolen through unknown vulnerability

The Washington Post's internal investigation, completed on 27th October, determined that data belonging to 9,720 individuals had been compromised.

The exposed information includes:

  1. Full names
  2. Bank account and routing numbers
  3. Social Security numbers
  4. Tax and identification numbers

In its notification letter to impacted individuals, the Post said the vulnerability exploited "was unknown prior to this incident, has impacted many Oracle customers, and is not specific to the Post."

It added that once alerted to the intrusion, it "moved quickly to lock down its environment" and engaged external experts to conduct a full forensic review.

The Post is offering 12 months of complimentary identity protection services through IDX and advising affected individuals to place security freezes on their credit files and set up fraud alerts.

The breach follows a separate incident in June in which several Washington Post journalists' email accounts were compromised by foreign state-linked hackers.

Oracle has offered little public commentary about the widespread exploitation that followed discovery of the vulnerability.

The company acknowledged the flaw in late October when it issued emergency patches, but it has not revealed how many customers were impacted, or responded to researchers' assertions that the bug had been used extensively for months to target organisations around the world.

NHS investigating breach claim

The NHS is also investigating, after Clop added the health service to its leak site on the 11th November.

The criminal gang has not yet published any NHS data and only lists the NHS.uk domain, rather than a specific branch or trust – so we don’t yet know how extensive the claimed breach is.

Clop might not even know which bit of the NHS it’s hit. The organisation is notoriously complex, especially for an outsider.

Either way, the group has wasted its time: the NHS doesn’t ever pay ransoms, and indeed might soon be banned from doing so.