Envoy Air Hit by Oracle Data Breach, American Airlines Confirms
▼ Summary
– Envoy Air, an American Airlines subsidiary, confirmed its Oracle E-Business Suite application was compromised by the Clop extortion gang.
– The airline stated no sensitive or customer data was affected, but a limited amount of business information and contact details may have been compromised.
– Clop exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite during an August data theft campaign affecting dozens of organizations.
– The same Clop campaign also targeted Harvard University, impacting a limited number of parties in a small administrative unit.
– Oracle silently patched another E-Business Suite zero-day (CVE-2025-61884) in July 2025 after it was actively exploited and linked to a leaked exploit.
A significant data security incident has impacted Envoy Air, the regional carrier owned by American Airlines, following a breach of its Oracle E-Business Suite application. The Clop ransomware gang claimed responsibility for the attack, listing American Airlines on its data leak portal and alleging the company neglected customer security. Envoy Air officials confirmed their awareness of the situation, immediately launching an internal investigation and notifying law enforcement agencies.
According to Envoy Air, a comprehensive review determined that no sensitive customer information was accessed or exposed. The compromised data appears limited to certain business details and commercial contact information. Envoy Air operates as an American Airlines subsidiary, managing regional flights under the American Eagle brand while utilizing American’s integrated systems for ticketing, scheduling, and passenger services.
The Clop group began publishing what they allege is stolen Envoy data on their leak site, accompanied by accusatory statements about the company’s security practices. This incident connects to a broader August data theft campaign orchestrated by Clop, which started sending extortion emails to victim organizations in September. The attackers specifically targeted vulnerabilities within Oracle E-Business Suite environments.
Initially, Oracle indicated that patched vulnerabilities from July were being exploited. However, the company later acknowledged attackers used a previously unknown zero-day flaw, identified as CVE-2025-61882. Security firms CrowdStrike and Mandiant confirmed that Clop operatives leveraged these vulnerabilities in early August to infiltrate systems and deploy malicious software.
While Clop has not disclosed the total number of affected companies, security experts like Google’s John Hultquist estimate dozens of organizations faced impact from these coordinated attacks. Harvard University also confirmed being targeted in the same campaign, noting the incident affected a small administrative unit and limited associated parties.
In a related development, Oracle recently addressed another E-Business Suite zero-day tracked as CVE-2025-61884 through a silent patch. The company did not publicly disclose that this vulnerability had been actively exploited since July 2025. This particular security gap has been linked to an exploit publicly shared by the Shiny Lapsus$ Hunters extortion group on Telegram.
This isn’t the first cybersecurity challenge for American Airlines, which experienced separate data breaches in 2022 and 2023 that compromised employee personal information.
The Clop ransomware operation, also monitored under designations TA505, Cl0p, and FIN11, emerged in 2019 initially focusing on network breaches to deploy CryptoMix ransomware. Since 2020, the group shifted tactics toward exploiting zero-day vulnerabilities in enterprise file transfer and data storage platforms to exfiltrate sensitive information. Their history includes multiple high-profile attacks leveraging previously unknown security flaws. The U.S. State Department currently offers a $10 million reward for information connecting Clop’s ransomware activities to a foreign government.
(Source: Bleeping Computer)
