The **Cl0p ransomware group** claimed responsibility for a data breach targeting **NHS UK** on **November 11, 2026**, exploiting critical vulnerabilities in **Oracle’s E-Business Suite (EBS)** (CVE-2025-61882, CVSS 9.8). The group accused NHS of neglecting security, stating it ignored customer protection, though the **volume of stolen data remains undisclosed**. The breach aligns with prior warnings from NHS’s cybersecurity division in **October 2026** about unpatched Oracle EBS flaws, suggesting Cl0p leveraged the same vulnerabilities NHS had flagged. The attack follows a pattern of **large-scale data exfiltration** (rather than encryption) by Cl0p, targeting high-value enterprise systems. While NHS has not confirmed the breach, the timing—shortly after **The Washington Post** (another victim of the same Oracle EBS exploit)—implies a **coordinated campaign**. Experts warn the stolen data (potentially including **patient records, employee details, or financial information**) could be leaked or sold, posing risks to **privacy, operational continuity, and public trust**. The breach underscores systemic vulnerabilities in **healthcare IT infrastructure**, with Cl0p’s tactics involving **prolonged undetected access** before public disclosure.
Source: https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/
NHS England Digital Profession cybersecurity rating report: https://www.rankiteo.com/company/nhs-digital
"id": "nhs2202122111225",
"linkid": "nhs-digital",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'National Health Service (NHS UK)',
'size': 'Large (Public Sector)',
'type': 'Government Healthcare Provider'},
{'industry': 'News and Publishing',
'location': 'United States',
'name': 'The Washington Post',
'size': 'Large',
'type': 'Media Organization'},
{'industry': 'Higher Education',
'location': 'United States',
'name': 'Harvard University',
'size': 'Large',
'type': 'Educational Institution'},
{'industry': 'Transportation',
'location': 'United States',
'name': 'Envoy (American Airlines Subsidiary)',
'size': 'Large',
'type': 'Aviation Services'}],
'attack_vector': ['Exploitation of Public-Facing Application (CVE-2025-61882)',
'Remote Code Execution',
'Data Exfiltration'],
'customer_advisories': ['The Washington Post Public Statement (Post-Breach)',
'Potential NHS UK Notifications Pending '
'Investigation'],
'data_breach': {'data_exfiltration': ['Confirmed (183GB for The Washington '
'Post)',
'Claimed for NHS UK (Volume '
'Undisclosed)'],
'personally_identifiable_information': ['Potential (Not '
'Specified)'],
'sensitivity_of_data': ['Potentially High (Enterprise '
'Software Data)']},
'date_detected': '2026-11-11',
'date_publicly_disclosed': '2026-11-11',
'description': 'Cl0p ransomware group claimed responsibility for data '
'breaches affecting the National Health Service (NHS UK) and '
'The Washington Post by exploiting critical vulnerabilities in '
'Oracle’s E-Business Suite (EBS), specifically CVE-2025-61882 '
'(CVSS 9.8). The group accused NHS UK of neglecting security '
'and published 183GB of data allegedly stolen from The '
"Washington Post under the folder 'ebs.washpost.com'. The "
'attacks align with Cl0p’s pattern of large-scale, coordinated '
'data-exfiltration campaigns targeting high-value enterprise '
'software. Oracle released patches in October 2025, but many '
'systems remain exposed, enabling ongoing exploitation by Cl0p '
'and affiliated groups like FIN11. The campaign, which began '
'as early as August 2025, has also impacted other high-profile '
'organizations such as Harvard University and Envoy (American '
'Airlines subsidiary).',
'impact': {'brand_reputation_impact': ['High (Accusations of Negligence by '
'Cl0p)',
'Erosion of Trust in NHS UK and The '
'Washington Post'],
'data_compromised': {'nhs_uk': None,
'the_washington_post': '183GB'},
'identity_theft_risk': ['Potential (Dependent on Stolen Data '
'Types)'],
'operational_impact': ['Potential Disruption to Healthcare '
'Services (NHS UK)',
'Compromised Journalistic Operations (The '
'Washington Post)'],
'systems_affected': ['Oracle E-Business Suite (EBS)',
'BI Publisher Integration Module']},
'initial_access_broker': {'data_sold_on_dark_web': ['The Washington Post Data '
'(183GB Published)',
'NHS UK Data (Claimed, '
'Not Yet Verified)'],
'entry_point': 'Exploitation of CVE-2025-61882 in '
'Oracle EBS BI Publisher Integration '
'Module',
'high_value_targets': ['Finance Systems',
'HR Systems',
'Supply-Chain Management '
'Systems'],
'reconnaissance_period': 'August 2025 – October '
'2025 (Prior to Patch '
'Release)'},
'investigation_status': 'Ongoing (NHS UK Claim Under Investigation; The '
'Washington Post Breach Confirmed)',
'lessons_learned': ['Critical Importance of Timely Patch Management for '
'Enterprise Software',
'Risks of Exposed Internet-Facing Systems in High-Value '
'Sectors (Healthcare, Media)',
'Need for Proactive Threat Hunting and Forensic Reviews '
'Following Vulnerability Disclosures',
'Centralized Ransomware Groups Like Cl0p Pose Systemic '
'Risks Due to Coordinated, Large-Scale Exploitation',
'Collateral Damage from Publicly Leaked Proof-of-Concept '
'Exploits (e.g., Scattered Lapsus$ Hunters)'],
'motivation': ['Financial Gain',
'Data Extortion',
'Reputation Damage to Targets'],
'post_incident_analysis': {'corrective_actions': ['Mandatory Patch Compliance '
'for Oracle EBS Users',
'Enhanced Threat '
'Intelligence Sharing Among '
'High-Risk Sectors',
'Regular Audits of '
'Internet-Facing Enterprise '
'Systems',
'Adoption of Zero Trust '
'Principles for High-Value '
'Business Applications'],
'root_causes': ['Delayed Patch Application for '
'Critical Vulnerability '
'(CVE-2025-61882)',
'Internet Exposure of Enterprise '
'Software (Oracle EBS)',
'Lack of Proactive Monitoring for '
'Early Signs of Exploitation '
'(August–October 2025)',
'Collateral Damage from Publicly '
'Available Exploit Code (Leaked by '
'Scattered Lapsus$ Hunters)']},
'ransomware': {'data_exfiltration': ['Primary Focus of Campaign'],
'ransomware_strain': 'Cl0p (Clop)'},
'recommendations': ['Immediate Application of Oracle EBS Patches (October '
'2025 or Later)',
'Restriction of Internet Exposure for EBS and Similar '
'Enterprise Systems',
'Conduct Forensic Reviews Dating Back to August 2025 for '
'Signs of Compromise',
'Monitor Network Traffic for Connections to Known '
'Malicious IPs (e.g., 200.107.207.26, 185.181.60.11)',
'Implement Network Segmentation to Limit Lateral Movement',
'Enhance Monitoring for Unauthorized Access to High-Value '
'Business Systems (Finance, HR, Supply Chain)',
'Prepare Incident Response Plans Specific to Enterprise '
'Software Exploits',
'Collaborate with Threat Intelligence Providers (e.g., '
'Mandiant, SOCRadar) for Early Warnings'],
'references': [{'date_accessed': '2026-11-11',
'source': 'Hackread.com',
'url': 'https://www.hackread.com'},
{'date_accessed': '2026-11-07',
'source': 'The Washington Post',
'url': 'https://www.washingtonpost.com'},
{'source': 'Outpost24 (Lidia Lopez, Senior Threat Intelligence '
'Analyst)'},
{'source': 'SOCRadar (Faik Emre Derin, Technical Content '
'Manager)'},
{'source': 'Mandiant Investigation Reports'},
{'source': 'Google Threat Intelligence Group'},
{'date_accessed': '2025-10-04',
'source': 'Oracle Security Alerts (CVE-2025-61882)',
'url': 'https://www.oracle.com/security-alerts/'}],
'regulatory_compliance': {'regulatory_notifications': ['NHS Cybersecurity '
'Alerts (October '
'2026)']},
'response': {'communication_strategy': ['Public Disclosure by Cl0p (Dark Web)',
'The Washington Post Statement',
'NHS Cybersecurity Alerts'],
'containment_measures': ['Oracle Patch Application (Urged)',
'Restriction of Internet Exposure for '
'EBS Systems'],
'enhanced_monitoring': ['Recommended for Oracle EBS Systems'],
'incident_response_plan_activated': ['NHS Cybersecurity Division '
'Alerts (October 2026)',
'The Washington Post '
'Confirmation '
'(Post-Breach)'],
'remediation_measures': ['Forensic Reviews (Dating Back to '
'August 2025)',
'Monitoring for Suspicious IPs'],
'third_party_assistance': ['Mandiant (Investigation)',
'Google Threat Intelligence Group '
'(Analysis)']},
'stakeholder_advisories': ['NHS Cybersecurity Division Alerts (October 2026)',
'Oracle Patch Advisories (October 2025)'],
'threat_actor': {'associated_groups': ['FIN11'],
'historical_campaigns': ['MOVEit Transfer Exploits (2023)',
'GoAnywhere Exploits (2023)',
'Oracle EBS Campaign (2025–2026)'],
'indicators_of_compromise': {'domains': None,
'hashes': None,
'ips': ['200.107.207.26',
'185.181.60.11']},
'name': 'Cl0p (Clop) Ransomware Group',
'tactics': ['Large-Scale Data Exfiltration',
'Exploitation of Zero-Day Vulnerabilities',
'Targeted Attacks on Enterprise Software',
'Dark Web Leak Site for Extortion'],
'type': 'Centralized Ransomware Operation'},
'title': 'Cl0p Ransomware Group Exploits Oracle E-Business Suite '
'Vulnerabilities in NHS UK and The Washington Post Data Breaches',
'type': ['Data Breach', 'Ransomware Attack', 'Exploitation of Vulnerability'],
'vulnerability_exploited': {'affected_module': 'BI Publisher Integration',
'affected_software': 'Oracle E-Business Suite '
'(EBS)',
'affected_versions': ['12.2.3',
'12.2.4',
'12.2.5',
'12.2.6',
'12.2.7',
'12.2.8',
'12.2.9',
'12.2.10',
'12.2.11',
'12.2.12',
'12.2.13',
'12.2.14'],
'cve_id': 'CVE-2025-61882',
'cvss_score': 9.8,
'exploit_publicly_available': '2025-10-03 '
'(Proof-of-Concept '
'leaked by '
'Scattered Lapsus$ '
'Hunters)',
'patch_available': '2025-10-04'}}