The Washington Post alerts nearly 10,000 employees and contractors that personal and financial data was exposed in the Oracle breach.The Washington Post warns nearly 10,000 staff and contractors that personal and financial data was exposed in the Oracle breach. The popular newspaper has approximately 2.5M digital subscribers.Between July 10 and August 22, threat actors exploited a then-zero-day Oracle E-Business Suite flaw, tracked as CVE-2025-61884, to access parts of the Washington Post network, stealing sensitive data. In late September, the Clop ransomware group attempted extortion.On September 29, 2025, the Washington Post was alerted by a threat actor claiming access to its Oracle E-Business Suite. An investigation, aided by experts, confirmed a widespread, previously unknown Oracle vulnerability affecting many customers.In mid-October, the Clop Ransomware group claimed the breach of The Washington Post and added the American daily newspaper to its Tor data leak site.The group claimed the company was breached due to its neglect of security, despite its responsibility to protect customers.“The Post’s investigation confirmed that it was impacted by this exploit and determined that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorization. Upon learning this, the Post conducted a prompt review of the impacted data in order to determine what information was affected and identify contact information for affected individuals.” reads the data breach notification sent to the impacted individuals and shared with Maine Attorney General. “On October 27, 2025, the Post confirmed that certain personal information belonging to current and former employees and contractors was affected by this incident.”The stolen data varies by individual; however, it may include names, bank account numbers and associated routing numbers, Social Security numbers, and/or tax ID numbers.The company provides affected individuals with 12 months of free identity protection and advises them to freeze their credit files and enable fraud alerts.Harvard and Envoy Air are among the confirmed victims of the Oracle E-Business Suite breach.“Twenty-nine alleged victims of the Oracle EBS hack have been listed on the Cl0p leak website to date. The organizations that were the first to be named, such as Harvard University, South Africa’s Wits University, and American Airlines subsidiary Envoy Air, confirmed being impacted shortly after they were named by the attackers in mid-October.” reported SecurityWeek.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, The Washington Post)