Washington Post Data Breach Hits 10,000 Employees, Contractors
▼ Summary
– The Washington Post notified nearly 10,000 employees and contractors that their personal and financial data was exposed in a data theft attack.
– Attackers exploited a zero-day vulnerability in Oracle E-Business Suite software between July 10 and August 22 to access the network and steal sensitive information.
– In late September, the hackers attempted to extort the Washington Post, and the breach has been linked to the Clop ransomware group using the CVE-2025-61884 vulnerability.
– Compromised data includes full names, bank account numbers, Social Security numbers, and tax ID numbers for affected individuals, who are offered identity protection services.
– Other organizations, such as Harvard University and American Airlines’ Envoy Air, were also breached using the same Oracle vulnerability, and this incident may be connected to a prior cyberattack on the Post’s journalists.
A significant data breach at The Washington Post has compromised the personal and financial information of almost 10,000 employees and contractors. The incident stemmed from a sophisticated cyberattack targeting a previously unknown vulnerability within the Oracle E-Business Suite software used by the newspaper.
Between July and August, unauthorized individuals gained access to the company’s internal network. These threat actors exploited a zero-day flaw in the Oracle platform, which serves as a critical enterprise resource planning system handling human resources, finance, and supply chain operations for major corporations. In late September, the hackers attempted to extort the publication, along with several other prominent organizations breached through the same method.
According to notifications sent to affected personnel, The Washington Post became aware of the intrusion when a malicious actor contacted them on September 29th, claiming to have infiltrated their Oracle applications. This prompted an immediate and comprehensive internal investigation, conducted with the help of external cybersecurity specialists. During this process, Oracle itself publicly disclosed the widespread security weakness, identified as CVE-2025-61884, which had enabled unauthorized access across its customer base.
Although the official letter does not identify the perpetrators, security researchers have linked these attacks to the notorious Clop ransomware gang. This same vulnerability was used to breach other high-profile entities, including Harvard University, Envoy Air (a subsidiary of American Airlines), and Hitachi’s GlobalLogic. The hacking group’s data leak site suggests an even larger number of victim organizations.
The internal probe concluded on October 27th, confirming that data belonging to 9,720 individuals was stolen. The compromised information is highly sensitive, including full names, bank account and routing numbers, Social Security numbers, and various tax identification details.
In response, the news organization is offering all impacted individuals a complimentary 12-month identity protection service subscription through IDX. They are also strongly advising people to place a security freeze on their credit files and to set up fraud alerts with the major credit bureaus.
This security incident follows another cyberattack disclosed in June, where foreign state actors compromised the email accounts of several Washington Post journalists. While the two events occurred in close succession, investigators are still determining if a direct connection exists between them. The publication has been contacted for further comment on the breach, and updates will follow as more information becomes available.
(Source: Bleeping Computer)
