Envoy Air, a regional subsidiary of American Airlines, confirmed a cybersecurity breach linked to the Clop ransomware group, which exploited a zero-day vulnerability (CVE-2025-61882) in its Oracle E-Business Suite. The attack was part of a broader global campaign targeting multiple organizations. While the breach exposed business and commercial contact data, Envoy Air clarified that no sensitive customer or financial information was compromised. The Clop group leaked stolen data on its dark web platform, accusing the airline of neglecting cybersecurity. The incident follows a pattern of Clop’s large-scale data exfiltration operations, leveraging unpatched vulnerabilities in enterprise systems. Envoy Air engaged law enforcement and initiated an investigation, but the breach underscores ongoing risks in third-party enterprise applications, particularly in the aviation sector. The attack did not disrupt operations but raised concerns about supply-chain vulnerabilities and the exposure of non-sensitive corporate data to malicious actors.
TPRM report: https://www.rankiteo.com/company/envoyair
"id": "env1802118101925",
"linkid": "envoyair",
"type": "Ransomware",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'None (no passenger data '
'impacted)',
'industry': 'Aviation',
'location': 'Irving, Texas, USA (Headquarters near '
'Dallas–Fort Worth International Airport)',
'name': 'Envoy Air (MQ)',
'type': 'Regional Airline'},
{'industry': 'Aviation',
'location': 'Dallas–Fort Worth International Airport '
'(DFW), Texas, USA',
'name': 'American Airlines',
'type': 'Major Airline'}],
'attack_vector': ['Zero-day Exploit (CVE-2025-61882)',
'Oracle E-Business Suite Vulnerability'],
'customer_advisories': 'Envoy Air confirmed no personal passenger data was '
'impacted.',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Low (no PII or financial data)',
'type_of_data_compromised': ['Business Data',
'Commercial Contact '
'Information']},
'date_detected': '2025-08',
'description': 'Envoy Air (MQ), American Airlines’ largest regional '
'subsidiary, confirmed a cybersecurity incident involving its '
'Oracle E-Business Suite data after the Clop ransomware group '
'listed American Airlines on its leak site. The breach is part '
'of a broader Oracle E-Business Suite zero-day campaign '
'(CVE-2025-61882) targeting multiple organizations worldwide. '
'While some business and commercial contact data may have been '
'accessed, no sensitive customer or financial information was '
'compromised. Clop leaked stolen data on its dark web '
'platform, accusing Envoy of neglecting cybersecurity '
'concerns. The incident is linked to a zero-day vulnerability '
'(CVE-2025-61882) exploited by Clop in early August 2025, with '
'dozens of companies affected globally.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'dark web data leak and public '
'disclosure by Clop',
'data_compromised': ['Business Data', 'Commercial Contact Data'],
'identity_theft_risk': 'None (no sensitive customer or financial '
'data compromised)',
'payment_information_risk': 'None',
'systems_affected': ['Oracle E-Business Suite']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Oracle E-Business Suite Zero-Day '
'(CVE-2025-61882)',
'high_value_targets': ['Business Data',
'Commercial Contact '
'Information']},
'investigation_status': 'Ongoing (as of August 2025)',
'lessons_learned': 'The incident highlights vulnerabilities in third-party '
'enterprise applications (e.g., Oracle E-Business Suite) '
'and the risks of integrated IT infrastructures in the '
'aviation sector. Proactive patch management and data '
'segmentation are critical for mitigating zero-day '
'exploits.',
'motivation': ['Financial Gain', 'Data Theft', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Apply Oracle-provided '
'patches for CVE-2025-61882 '
'and CVE-2025-61884.',
'Conduct a comprehensive '
'review of integrated IT '
'systems (e.g., shared '
'platforms with American '
'Airlines).',
'Enhance monitoring for '
'Clop-related indicators of '
'compromise (IOCs).',
'Implement stricter access '
'controls for enterprise '
'applications.'],
'root_causes': ['Exploitation of unpatched '
'zero-day vulnerability '
'(CVE-2025-61882) in Oracle '
'E-Business Suite.',
'Lack of proactive threat '
'detection for emerging zero-day '
'campaigns.',
'Potential gaps in third-party '
'vendor risk management '
'(Oracle).']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'Clop'},
'recommendations': ['Implement heightened vigilance and patch management for '
'enterprise platforms like Oracle E-Business Suite.',
'Enhance data segmentation to limit exposure in '
'integrated IT environments (e.g., airline scheduling, '
'ticketing, and customer management systems).',
'Monitor dark web platforms for leaked data and threat '
'actor activity.',
'Collaborate with cybersecurity firms (e.g., CrowdStrike, '
'Mandiant) for threat intelligence and incident response.',
'Evaluate third-party vendor security postures to prevent '
'supply chain attacks.'],
'references': [{'source': 'Wikimedia Commons (Envoy Air Image)',
'url': 'https://commons.wikimedia.org/w/index.php?curid=92713161'},
{'source': 'Wikimedia Commons (American Eagle Image)',
'url': 'https://commons.wikimedia.org/w/index.php?curid=114029130'},
{'source': 'US State Department Reward for Clop Information'},
{'source': 'CrowdStrike/Mandiant Research on Clop Campaign '
'(August 2025)'}],
'response': {'communication_strategy': 'Public confirmation of breach, denial '
'of sensitive data exposure',
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'threat_actor': ['Clop', 'TA505', 'Cl0p', 'FIN11'],
'title': 'Envoy Air Oracle E-Business Suite Data Breach Linked to Clop '
'Ransomware',
'type': ['Data Breach', 'Ransomware Extortion'],
'vulnerability_exploited': ['CVE-2025-61882',
'CVE-2025-61884 (potential, patched later)']}