Oracle Zero-Day Breach Exposes Washington Post Employee Financial Data

In a significant supply chain attack, nearly 10,000 Washington Post employees and contractors had their sensitive financial and personal information stolen after threat actors exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS). The breach occurred between July 10 and August 22, 2025, with the Clop ransomware group later attempting to extort the news organization using the stolen data.

The Attack Vector: Oracle EBS Zero-Day

Oracle EBS—a widely adopted enterprise resource planning platform handling HR, finance, and supply chain operations—contained an undisclosed vulnerability (CVE-2025-61884) during the attack window. The flaw allowed unauthorized access to internal systems, enabling data exfiltration before Oracle patched it.

"During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ applications," the Washington Post disclosed to affected individuals.

Scope and Impact

Compromised data includes:
- Full names
- Bank account and routing numbers
- Social Security numbers (SSNs)
- Tax identification details

The breach impacted 9,720 individuals, with the Post offering 12 months of identity protection services. This incident follows another breach in June 2025 where foreign state actors compromised journalists' email accounts, suggesting possible targeting patterns.

Broader Implications

This isn't isolated. Harvard University, American Airlines subsidiary Envoy Air, and Hitachi’s GlobalLogic were also breached via the same Oracle flaw. Clop’s leak site lists even more victims, underscoring the critical risk of centralized ERP systems:

• Vendor Responsibility: Oracle’s delayed disclosure highlights challenges in enterprise patch management.
• Supply Chain Domino Effect: A single vulnerability in widely deployed software can cascade across industries.
• Ransomware Evolution: Clop continues refining its big-game hunting tactics, shifting from encryption to pure data extortion.

While the Post investigates potential links between the two 2025 breaches, this event serves as a stark reminder: legacy enterprise software remains a high-value target, and proactive vulnerability management is non-negotiable for organizations handling sensitive data.

Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/washington-post-data-breach-impacts-nearly-10k-employees-contractors/)