The Washington Post has confirmed a data breach that exposed personal and financial information belonging to nearly 10,000 current and former employees and contractors, following an exploitation campaign targeting Oracle E-Business Suite environments. The intrusion, attributed to the Clop ransomware group, leveraged a previously unknown vulnerability later assigned as CVE-2025-61884 (referenced in other reports as CVE-2025–61882).

According to the breach notification filed in Maine, the incident began when an unidentified threat actor contacted the Washington Post on September 29, 2025, claiming to have gained unauthorized access to the company's Oracle E-Business Suite applications. Subsequent forensic analysis revealed that the adversaries had maintained access to the environment between July 10 and August 22, during which they exfiltrated sensitive data. The compromised information includes full names, bank account and routing numbers, Social Security numbers, and tax identification data associated with 9,720 individuals.

Oracle E-Business Suite, a widely deployed enterprise resource planning (ERP) solution integrating financial, HR, and supply chain management capabilities, was the focal point of a broader exploitation campaign. Oracle publicly acknowledged the existence of the zero-day vulnerability on October 4, 2025, after receiving reports from multiple impacted organizations. The vendor's security advisory noted that some customers had also received extortion attempts consistent with the tactics of the Clop ransomware group, which has a documented history of exploiting critical vulnerabilities in file transfer and ERP systems to conduct large-scale data theft and extortion operations.

Mandiant and other incident response firms analyzing the breach chain have confirmed that Clop exploited multiple flaws within Oracle's E-Business Suite, using them to gain persistence and exfiltrate bulk data from affected enterprise environments. As in previous campaigns such as the MOVEit mass exploitation in 2023, Clop's operational model revolves around compromising centralized data exchange or management platforms to maximize the impact across numerous downstream organizations.

In this case, victims beyond the Washington Post include entities such as Envoy Air, Harvard University, and GlobalLogic, all of which confirmed similar intrusions during the same timeframe. Extortion demands from the group reportedly reached up to $50 million in some cases, with Clop threatening to leak stolen data via its public data-leak site unless payment was made.

The Washington Post finalized its investigation on October 27, confirming the scope of the compromise and initiating notification to affected parties. Impacted individuals have been offered 12 months of identity protection services through IDX, along with recommendations to enable credit freezes and fraud alerts as precautionary measures.

While Oracle has since issued patches to address the exploited vulnerability, the incident underscores the critical importance of proactive vulnerability management and continuous monitoring of third-party enterprise software environments. The breach represents another high-profile instance of supply-chain-level exploitation where trusted infrastructure becomes the vector for compromise.

The Washington Post has not publicly commented on whether ransom negotiations occurred or whether data was confirmed to have been leaked. However, the attack serves as a notable reminder of the convergence between ransomware operations, zero-day exploitation, and the growing risks associated with ERP system compromise across modern enterprises.