The Washington Post has publicly disclosed a significant data breach involving external hacking of its Oracle E-Suite system, impacting over 9,700 employees and contractors worldwide.
The breach notification, filed with Maine’s Attorney General, reveals the incident occurred on July 10, 2025, but remained undiscovered until October 27, 2025, nearly three-and-a-half months later.
Maine official regulatory filing submitted by ZwillGen PLLC, the prestigious news organization’s legal counsel. The breach compromised the personal information of 9,720 individuals, including 31 Maine residents.
Oracle E-Suite Exposes Employee Data
The compromised data included names and other personal identifiers combined with additional sensitive information.
Though specific details about what additional data was exposed remain limited in the public disclosure. The Washington Post’s headquarters, located at 1301 K Street NW in Washington, DC, was the site of the intrusion, which was discovered during routine security monitoring.
The extended discovery window raises questions about the organization’s detection capabilities and security monitoring practices within its systems.
Such gaps between breach occurrence and discovery are common in major cyber incidents, allowing threat actors to maintain extended access to sensitive systems and data.
As part of its incident response, The Washington Post offered complimentary identity theft protection services to all impacted employees and contractors.
This proactive approach reflects emerging best practices in breach response. It demonstrates a commitment to mitigating potential harm from unauthorized data access.
Senior Legal Director Marci Rozen, representing The Washington Post through external counsel firm ZwillGen PLLC, filed the formal breach notification with Maine regulators.
The filing represents part of the organization’s legal obligations under the state’s data breach notification laws, which require notification of affected residents within a specific timeframe.
The Oracle E-Suite system targeted in this incident manages employee data and administrative functions across the organization.
Maine’s breach report underscores ongoing vulnerabilities in enterprise software systems and highlights the persistent threat posed by external threat actors.
Targeting major organizations, including media outlets handling sensitive editorial and proprietary information.
The Washington Post’s rapid notification to affected individuals and its provision of identity protection services demonstrate that it has established incident response protocols.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
