The Washington Put up is notifying almost 10,000 workers and contractors that a few of their private and monetary information has been uncovered within the Oracle information theft assault.
The information group is without doubt one of the largest day by day newspapers within the U.S. with roughly 2.5 million digital subscribers.
Between July 10 and August 22, risk actors accessed elements of its community. They leveraged a vulnerability in Oracle E-Enterprise Suite software program that was a zero-day on the time to steal delicate information.
In late September, the hackers tried to extort the Washington Put up, together with different main corporations they’d breached the identical method.
The hackers leveraged a then-zero-day vulnerability in Oracle E-Enterprise Suite software program that the Washington Put up used internally, stole information, after which tried to extort the agency in late September.
Oracle E-Enterprise Suite is a broadly used enterprise useful resource planning (ERP) platform with HR, finance, and provide chain features that giant organizations use internally.
In response to the Washington Put up’s notification to impacted people, Oracle disclosed the security vulnerability whereas the information group was investigating the breach incident.
“On September 29, 2025, the Put up was contacted by a foul actor who claimed to have gained entry to its Oracle E-Enterprise Suite purposes,” describes the letter.
“In response, the Put up launched an intensive investigation of its Oracle utility setting with the help of specialists to find out if the setting had been accessed with out authorization.”
“Through the investigation, Oracle introduced that it had recognized a beforehand unknown and widespread vulnerability in its E-Enterprise Suite software program that permitted unauthorized actors to entry many Oracle prospects’ E-Enterprise Suite purposes.”
Though the attackers aren’t named within the letter, the Clop ransomware group has been linked to these assaults, exploiting a zero-day flaw that’s now tracked as CVE-2025-61884.
Among the many organizations that have been breached utilizing the identical vulnerability in Oracle E-Enterprise Suite are Harvard College, American Airways subsidiary Envoy Air, and Hitachi’s GlobalLogic.
These are among the victims who’ve confirmed a breach or are investigating suspicious exercise of their environments. Nonetheless, Clop’s information leak web site lists a bigger variety of breached organizations.
The Put up’s investigation into the incident concluded on October 27 and revealed that the next kinds of information belonging to 9,720 workers and contractors had been compromised:
- Full names
- Checking account numbers and routing numbers
- Social Safety numbers (SSNs)
- Tax and ID numbers
Impacted people acquired a 12-month free-of-charge identification safety service protection by means of IDX and are really useful to think about putting a security freeze on their credit score file and organising fraud alerts on their report.
In June, the Washington Put up introduced that the e-mail accounts of a number of of its journalists had been compromised in a cyberattack performed by international state actors.
Whereas the 2 incidents occurred shortly after each other, there may be proof of a connection between them.
BleepingComputer has contacted The Washington Put up with further questions, and we are going to replace this put up once we obtain a reply.
It is funds season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising traits, and evaluate their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable affect.
