An ex-Washington Post employee reportedly is suing the news organization in the wake of a data breach the exposed the personal data of almost 10,000 current and former workers, saying the company failed to put adequate protections in place.
According to Politico, Jun Hee Kim, who worked at the Post in 2018 and 2019, filed a class action lawsuit that includes the 9.720 people potentially victimized by the hack, which includes not only employees but also independent contractors and contributors, who reportedly included former National Security Adviser John Bolton.
Kim reportedly in the lawsuit claims the data breach at the storied news outlet was the result of the Post failing to “implement adequate and reasonable cybersecurity procedures and protocols.” He also says he and other victims have suffered financially due to their data being stolen and that they want the Post to compensate them for identity theft and monitoring services.
He also is demanding that the news organization hardened its data security.
Growing List of Victims
The Post, which has more than 3,000 employees and about 2.5 million digital subscribers – is among a growing number of victims – with some estimates closing in on 100 companies – stemming from a threat group’s exploitations of a zero-day critical vulnerability (tracked as CVE-2025-61882) and other security flaws in Oracle’s E-Business Suite (EBS), a collection of enterprise software used to manage business functions like financials, human resourc
The Washington Post cybersecurity rating report: https://www.rankiteo.com/company/washingtonpost
"id": "WAS1765174011",
"linkid": "washingtonpost",
"type": "Breach",
"date": "12/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'incident': {'affected_entities': [{'customers_affected': '9,720 (employees, '
'independent '
'contractors, '
'contributors)',
'industry': 'Media',
'location': None,
'name': 'The Washington Post',
'size': '3,000+ employees, 2.5 million '
'digital subscribers',
'type': 'News Organization'}],
'attack_vector': 'Exploitation of zero-day vulnerability '
'(CVE-2025-61882) and other security flaws in '
'Oracle E-Business Suite (EBS)',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': '9,720',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable '
'information (PII)',
'type_of_data_compromised': 'Personal data'},
'description': 'An ex-Washington Post employee filed a class '
'action lawsuit against the news organization '
'after a data breach exposed the personal data of '
'nearly 10,000 current and former workers, '
'alleging inadequate cybersecurity protections. '
'The breach affected employees, independent '
'contractors, and contributors, including '
'high-profile individuals like former National '
'Security Adviser John Bolton.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal data of 9,720 '
'individuals',
'downtime': None,
'financial_loss': 'Victims suffered financial losses',
'identity_theft_risk': 'Victims seek compensation for '
'identity theft and monitoring '
'services',
'legal_liabilities': 'Class action lawsuit filed',
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Oracle E-Business Suite (EBS)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Failure to implement '
'adequate and '
'reasonable '
'cybersecurity '
'procedures and '
'protocols'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Hardened data security measures',
'references': [{'date_accessed': None,
'source': 'Politico',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': 'Class action lawsuit',
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Washington Post Data Breach Lawsuit',
'type': 'Data Breach',
'vulnerability_exploited': 'CVE-2025-61882, Oracle E-Business '
'Suite (EBS) security flaws'}}