The Washington Post has disclosed a significant data breach that compromised sensitive information for 9,720 current and former employees and contractors.
This incident, linked to a zero-day vulnerability in Oracle’s E-Business Suite software, occurred between July 10 and August 22, 2025, but was only discovered on October 27, 2025, after an extortion attempt.
The breach highlights ongoing risks in enterprise resource planning systems used for human resources and financial management.
The newspaper notified affected individuals on November 12, 2025, as required by state law, revealing that 31 Maine residents were affected.
Exposed data included full names, Social Security numbers, bank account and routing numbers, and tax identification numbers, increasing risks of identity theft and financial fraud.
The Washington Post, which relies on Oracle E-Business Suite for internal operations such as payroll and HR, became one of many victims in a broader hacking campaign.
Breach Technical Details
Hackers exploited CVE-2025-61884, a previously unknown zero-day flaw in Oracle E-Business Suite, an ERP platform handling finance, supply chain, and employee data.
This vulnerability allowed unauthorized remote access without authentication, enabling attackers to infiltrate the system and exfiltrate records undetected for over a month.
Oracle disclosed the issue during the Washington Post’s investigation, confirming it affected multiple customers globally.
The intrusion began on July 10, 2025, when threat actors, believed to be the Clop ransomware group, targeted the E-Suite environment.
Clop has a history of exploiting supply-chain vulnerabilities, as seen in prior attacks on MOVEit and GoAnywhere software, to steal data for extortion.
In this case, attackers accessed HR modules, combining personal identifiers with financial details to create high-value profiles for phishing or account takeovers.
No ransomware was deployed at the Post, but the group added the organization to its dark web leak site in mid-October, pressuring it to pay.
Forensic analysis revealed the breach’s scope on October 27, after the September 29 extortion contact prompted expert involvement.
Security experts note that zero-day exploits in legacy ERP systems, such as EBS, which are often on outdated Java or database configurations, evade traditional defenses such as firewalls and intrusion detection systems.
The flaw likely involved improper access controls in the application’s web interface, allowing SQL injection or session hijacking.
Oracle has since patched CVE-2025-61884, urging users to apply updates and segment networks to isolate ERP environments.
Company Response and Broader Implications
In response, the Washington Post engaged cybersecurity firms for a full audit, secured its Oracle systems, and offered 12 months of free identity protection services through IDX, including credit monitoring and fraud alerts.
Affected individuals are advised to freeze their credit reports and watch for suspicious activity.
The company emphasized that no subscriber data was compromised, limiting fallout to internal records.
This breach underscores vulnerabilities in third-party software supply chains, affecting other Oracle users like Envoy Air and GlobalLogic.
It may lead to lawsuits and regulatory scrutiny under laws like Maine’s data breach notification statute.
For cybersecurity professionals, it reinforces the need for zero-trust architectures and regular penetration testing on enterprise tools.
As Clop continues targeting unpatched systems, organizations must prioritize timely updates to mitigate similar risks.
