Washington Post confirms data breach linked to Oracle hacks

The Washington Post confirmed Friday that it was among the victims of a widespread hacking campaign tied to Oracle’s E-Business Suite, a suite of enterprise software used by major corporations around the world.

The disclosure follows an earlier Reuters report citing a statement from the newspaper acknowledging that it had been “affected by the breach of the Oracle E-Business Suite platform.”

Neither the Post nor Oracle have publicly detailed the scope of the incident or the type of data exposed. A spokesperson for The Washington Post did not immediately respond to TechCrunch’s request for comment. In contrast, Oracle spokesperson Michael Egbert referred reporters to two previously published security advisories without answering direct questions.

Clop Ransomware Gang Linked to Oracle Exploits

The breach is part of a broader ransomware campaign linked to the Clop hacking group, which has targeted hundreds of companies by exploiting multiple vulnerabilities in Oracle’s E-Business Suite.

According to Google’s cybersecurity division, the Clop group began exploiting the flaws in late September, stealing business data and employee records from over 100 organisations. The Oracle E-Business Suite is widely used for managing human resources, accounting, and supply chain operations, making it a high-value target for data theft.

Executives at affected companies reportedly received extortion emails from addresses previously tied to the Clop gang, threatening to publish stolen files unless large ransom payments were made.

Ransom Demands and Public Extortion

Anti-ransomware firm Halcyon told TechCrunch that one executive was asked to pay $50 million to prevent the public release of company data.

On Thursday, the Clop group added The Washington Post to its dark web leak site, claiming the media organisation had “ignored their security.” Clop typically uses that phrasing to indicate that a victim refused to pay or broke off ransom negotiations.

It’s common for ransomware gangs to publicly name victims and leak portions of stolen data as a pressure tactic to coerce payment. However, The Washington Post has not confirmed whether any ransom demand was made or whether sensitive employee or business data was exfiltrated.

Other Victims Include Harvard and an American Airlines Subsidiary

The Post is not the only major organisation affected. Harvard University and Envoy, a subsidiary of American Airlines, have both confirmed they were also compromised in the Oracle E-Business Suite hacks.

These breaches underscore how a single software vulnerability in a widely used enterprise platform can cascade across industries, exposing sensitive internal data at universities, airlines, corporations, and now major media outlets.

Oracle’s Response

Oracle previously issued two security advisories warning customers to apply urgent patches for the exploited vulnerabilities. The company did not comment on the specifics of the Washington Post breach but emphasised the importance of timely updates to prevent future attacks.

The full extent of data stolen in the campaign remains unclear. Investigations are ongoing, and cybersecurity experts warn that similar attacks leveraging third-party software weaknesses are likely to continue.