The Washington Post confirms data breach linked to Oracle hack

The Washington Post has publicly confirmed it is among the hundreds of organizations worldwide impacted by a massive cyber breach tied to an undisclosed vulnerability in Oracle’s E-Business Suite (EBS) platform.

The incident is yet another demo of the acute risk posed by supply chain vulnerabilities, where the compromise of widely used third-party enterprise software can lead to data theft at hundreds of seemingly secure companies.

Exploiting a ubiquitous enterprise system

The attack did not target The Washington Post’s direct editorial systems or subscriber accounts, but rather the essential financial and logistical software it uses.

The breach was traced back to an exploit targeting a vulnerability within the Oracle E-Business Suite (EBS). This application suite is used by thousands of major corporations globally to manage critical business processes, including customers, suppliers, and internal logistics.

The Clop ransomware gang has already claimed responsibility for the Oracle breach and subsequent hacks, prominently listing The Washington Post on its dark web leak site. Clop is one of the world's most prolific cybercriminal groups, known for massive supply-chain attacks, including the exploitation of MOVEit Transfer and GoAnywhere MFT in 2023.

Cybersecurity firms and Google have estimated that the sweeping hacking campaign targeting the Oracle platform has affected over 100 companies globally, with some early reports suggesting millions of records were initially exfiltrated from the broader Oracle cloud ecosystem.

In an official statement, the D.C.-based newspaper acknowledged it was impacted "by the breach of the Oracle E-Business Suite platform," but did not immediately disclose the exact nature or volume of the data stolen.

Clop's trademark extortion tactic

The presence of The Washington Post on Clop’s leak site is part of the group’s standard double-extortion tactic. The hackers publish the victims' names to publicly shame them into paying a ransom in exchange for a promise not to release the stolen data.

Experts warn that such a high-profile attack serves as a stark warning about the pervasive risk in the enterprise software supply chain. And while The Washington Post and Oracle have not detailed how the critical vulnerability was exploited, the focus has shifted to urging all organizations using Oracle EBS to immediately apply all recent security patches to prevent further exploitation.