The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack.
The news organization is one of the largest daily newspapers in the U.S. with approximately 2.5 million digital subscribers.
Between July 10 and August 22, threat actors accessed parts of its network. They leveraged a vulnerability in Oracle E-Business Suite software that was a zero-day at the time to steal sensitive data.
In late September, the hackers tried to extort the Washington Post, along with other major companies they had breached the same way.
The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software that the Washington Post used internally, stole data, and then attempted to extort the firm in late September.
Oracle E-Business Suite is a widely used enterprise resource planning (ERP) platform with HR, finance, and supply chain functions that large organizations use internally.
According to the Washington Post’s notification to impacted individuals, Oracle disclosed the security vulnerability while the news organization was investigating the breach incident.
“On September 29, 2025, the Post was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications,” describes the letter.
“In response, the Post launched a thorough investigation of its Oracle application environment with the assistance of experts to determine if the environment had been accessed without authorization.”
“During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ E-Business Suite applications.”
Although the attackers aren’t named in the letter, the Clop ransomware group has been linked to these attacks, exploiting a zero-day flaw that is now tracked as CVE-2025-61884.
Among the organizations that were breached using the same vulnerability in Oracle E-Business Suite are Harvard University, American Airlines subsidiary Envoy Air, and Hitachi’s GlobalLogic.
These are some of the victims who have confirmed a breach or are investigating suspicious activity in their environments. However, Clop’s data leak site lists a larger number of breached organizations.
The Post’s investigation into the incident concluded on October 27 and revealed that the following types of data belonging to 9,720 employees and contractors had been compromised:
- Full names
- Bank account numbers and routing numbers
- Social Security numbers (SSNs)
- Tax and ID numbers
Impacted individuals received a 12-month free-of-charge identity protection service coverage through IDX and are recommended to consider placing a security freeze on their credit file and setting up fraud alerts on their report.
In June, the Washington Post announced that the email accounts of several of its journalists had been compromised in a cyberattack conducted by foreign state actors.
While the two incidents occurred shortly after one another, there is evidence of a connection between them.
BleepingComputer has contacted The Washington Post with additional questions, and we will update this post when we receive a reply.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.