Washington Post confirms data breach in the Oracle E-Business Suite attack campaign

The Washington Post has confirmed that it was compromised in the cyberattack campaign targeting organizations using Oracle's E-Business Suite platform. The attack was claimed by the Clop ransomware gang, and affected more than 100 companies worldwide.

The Washington Post acknowledged in a statement on November 6, 2025, that it was among the organizations impacted "by the breach of the Oracle E-Business Suite platform." 

The vulnerabilities exploited in this campaign were CVE-2025-61882, a zero-day vulnerability in the Oracle Concurrent Processing product within Oracle E-Business Suite and CVE-2025-61884 a zero-day vulnerability affecting the Oracle Configurator component. Possibly multiple other vulnerabilities from Oracle's July 2025 Critical Patch Update were also exploited.

The Washington Post has not disclosed details about what data was compromised in its systems or the number of individuals affected.

Update - as of 13th of November 2025, the Washington Post reporting that data belonging to 9,720 employees and contractors had been compromised. The exposed data includes:
- Full names
- Bank account numbers and routing numbers
- Social Security numbers (SSNs)
- Tax and ID numbers

Impacted individuals are offered a 12-month free-of-charge identity protection.