The Washington Post, a major U.S. daily newspaper with ~2.5M digital subscribers, suffered a data breach via a zero-day vulnerability (CVE-2025-61884) in Oracle E-Business Suite between **July 10–August 22, 2025**. Threat actors (linked to the **Clop ransomware group**) exploited the flaw to access the Post’s internal ERP system, stealing sensitive **employee and contractor data**—including **full names, bank account/routing numbers, Social Security numbers (SSNs), and tax/ID numbers**—affecting **9,720 individuals**. The attackers later attempted extortion in late September. While the breach was contained to internal HR/finance systems, the exposed data poses severe risks of **identity theft, financial fraud, and reputational harm**. Victims were offered 12 months of free identity protection (IDX) and advised to freeze credit files. The incident follows a separate June 2025 attack on journalists’ emails by state actors, though no direct link was confirmed.
The Washington Post cybersecurity rating report: https://www.rankiteo.com/company/washingtonpost
"id": "WAS0092300111325",
"linkid": "washingtonpost",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '9,720 employees and contractors',
'industry': 'news/publishing',
'location': 'United States',
'name': 'The Washington Post',
'size': '~2.5 million digital subscribers; ~10,000 '
'employees/contractors affected',
'type': 'media organization'}],
'attack_vector': ['exploitation of zero-day vulnerability (CVE-2025-61884)',
'unauthorized access to Oracle E-Business Suite'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 9720,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, bank details, '
'and tax IDs)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data',
'tax information']},
'date_detected': '2025-09-29',
'date_publicly_disclosed': '2025-10-27',
'date_resolved': '2025-10-27',
'description': 'The Washington Post notified nearly 10,000 employees and '
'contractors that their personal and financial data was '
'exposed in an attack exploiting a zero-day vulnerability in '
'Oracle E-Business Suite. The Clop ransomware group is '
'suspected of leveraging CVE-2025-61884 to steal sensitive HR '
'and financial data, followed by an extortion attempt in late '
'September 2025. The breach occurred between July 10 and '
'August 22, 2025, with the investigation concluding on October '
'27, 2025.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of employee/contractor data '
'and extortion attempt',
'data_compromised': ['full names',
'bank account numbers',
'routing numbers',
'Social Security numbers (SSNs)',
'tax and ID numbers'],
'identity_theft_risk': 'High (SSNs, bank details, and tax IDs '
'exposed)',
'payment_information_risk': 'High (bank account and routing '
'numbers exposed)',
'systems_affected': ['Oracle E-Business Suite (HR, finance, supply '
'chain modules)']},
'initial_access_broker': {'entry_point': 'Zero-day vulnerability in Oracle '
'E-Business Suite (CVE-2025-61884)',
'high_value_targets': ['HR data',
'financial data',
'employee/contractor PII']},
'investigation_status': 'Completed (as of 2025-10-27)',
'motivation': ['financial gain', 'extortion'],
'post_incident_analysis': {'root_causes': ['Unpatched zero-day vulnerability '
'in Oracle E-Business Suite',
'Lack of proactive monitoring for '
'novel exploits']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': True,
'ransomware_strain': 'Clop (suspected)'},
'recommendations': ['Apply patches for CVE-2025-61884 promptly',
'Monitor Oracle E-Business Suite for unauthorized access',
'Enhance identity protection for employees (e.g., credit '
'freezes, fraud alerts)',
'Review third-party software vulnerabilities proactively'],
'references': [{'source': 'BleepingComputer'},
{'source': 'The Washington Post (notification letter to '
'affected individuals)'}],
'response': {'communication_strategy': ['notification letters to affected '
'individuals',
'public disclosure'],
'incident_response_plan_activated': True,
'recovery_measures': ['12-month free identity protection (IDX) '
'for affected individuals',
'recommendations for credit freezes and '
'fraud alerts'],
'remediation_measures': ['investigation with external experts',
'collaboration with Oracle'],
'third_party_assistance': True},
'stakeholder_advisories': ['12-month identity protection (IDX) offered to '
'affected individuals'],
'threat_actor': 'Clop ransomware group (suspected)',
'title': 'Washington Post Oracle E-Business Suite Data Theft and Extortion '
'Attempt',
'type': ['data breach', 'extortion', 'zero-day exploit'],
'vulnerability_exploited': 'CVE-2025-61884 (Oracle E-Business Suite zero-day)'}