Extra, extra, read all about it: Washington Post clobbered in Clop caper

Steven

Extra, extra, read all about it: Washington Post clobbered in Clop caper

Summary

The Washington Post confirmed that nearly 10,000 current and former employees and contractors had sensitive personal data stolen after attackers exploited a previously unknown Oracle E-Business Suite (EBS) vulnerability linked to the Clop ransomware gang. The intruders accessed systems between 10 July and 22 August, and the paper was first contacted by a “bad actor” on 29 September. The stolen information included names, bank account and routing numbers, Social Security numbers and tax IDs. The Post notified affected people, offered identity-protection services where SSNs or tax IDs were exposed, and applied Oracle’s emergency patches once available.

Key Points

  • Attack exploited a previously unknown Oracle E-Business Suite flaw widely used by the Clop gang.
  • Intrusion window: 10 July to 22 August; reported by an attacker on 29 September and confirmed internally.
  • Almost 10,000 staff and contractors were notified; data exfiltrated included SSNs and bank details.
  • The Washington Post applied Oracle patches quickly and offered identity-protection to affected individuals.
  • The incident is part of a broader, global EBS-targeting campaign; expect further disclosures as organisations review logs.

Why should I read this

Short answer: because if you handle people’s data or run Oracle EBS, this affects you. Big-name victim, thousands affected, and the flaw was unknown before the raid — so patching and log-checking aren’t optional. We’ve read the filing and boiled it down so you don’t have to.

Author style

Punchy: high-impact breach, clear lessons for security teams and data custodians. If you’re responsible for systems, compliance or employee data, this warrants a closer read.

Context and Relevance

The disclosure adds the Washington Post to a growing list of victims (including GlobalLogic and Allianz UK) affected by the mass-exploitation of an Oracle EBS zero-day. Oracle released emergency fixes in late October, but many organisations are still assessing exposure. For readers managing Oracle EBS, HR systems or sensitive PII, the article underlines the urgency of patching, auditing logs and preparing notifications.

Source

Source: https://www.theregister.com/2025/11/13/washington_post_clop/