The Washington Post has confirmed that nearly 10,000 employees and contractors had sensitive personal data stolen in the Clop-linked Oracle E-Business Suite (EBS) attacks.
In a filing with Maine's attorney general, submitted on November 12, the Post details how the newspaper was contacted by a "bad actor" on September 29 who claimed to have breached its Oracle EBS environment.
An internal investigation later confirmed the intruder's claims and tied the access to the previously unknown Oracle EBS vulnerability that cybercriminals have exploited across multiple organizations. The Clop ransomware gang has claimed responsibility for those attacks, posting dozens of alleged victims on its dark web leak site.
According to the Post's notice, attackers accessed and exfiltrated data between July 10 and August 22.
The newspaper determined on October 27 that the stolen information included names, bank account and routing numbers, Social Security numbers, and tax ID numbers belonging to current and former staff and contractors.
Almost 10,000 people were ultimately notified, and affected individuals whose Social Security numbers or tax IDs were compromised have been offered complimentary identity-protection services.
The notification letter states that the vulnerability "was unknown prior to this incident, has impacted many Oracle customers, and is not specific to the Post." The newspaper stresses that it moved quickly to lock down its environment once the intrusion was detected and applied Oracle's patches as soon as they became available.
- Allianz UK joins growing list of Clop's Oracle E-Business Suite victims
- American Airlines subsidiary Envoy caught in Clop's Oracle EBS raid
- Oracle rushes out another emergency E-Business Suite patch as Clop fallout widens
- Clop raid on Oracle E-Business Suite started months ago, researchers warn
Oracle has said little publicly about the wave of mass exploitation that followed the discovery of the EBS flaw. Big Red confirmed the vulnerability in late October when it released emergency fixes, but it has not disclosed how many customers were affected, nor has it addressed researchers' claims that the bug was used at scale for months against organizations worldwide.
Still, the Post's confirmation adds another high-profile name to the growing list of victims of the EBS-targeting campaign that has dominated enterprise security headlines in recent weeks. Hitachi-owned GlobalLogic disclosed this week that more than 10,000 of its own staff had data stolen via the same exploit, and Allianz UK also confirmed it was caught up in the spree.
Clop, known for its mass-exploitation tactics, has already named dozens of organizations on its leak site following the Oracle EBS campaign, spanning sectors from healthcare and consumer electronics to finance, manufacturing, education, and media.
In its letter to the Maine attorney general, the Post said it "regrets any worry or inconvenience" caused by the breach and insisted that safeguarding staff data remains "a top priority." With other organizations now trawling their Oracle logs for signs of trouble, more disclosures look inevitable. ®