Cyber attack on Oracle Platform Results in Massive Washington Post Data Leak

The Washington Post reported that in September, cyber criminals exploited a zero-day vulnerability in Oracle E-Business Suite, compromising the personal information of nearly 10,000 individuals.

 

In a data security incident notice filed with the Office of Maine Attorney General, The Washington Post said that on October 27 it became aware of a security incident involving a previously undiscovered vulnerability in its Oracle E-Business Suite, which exposed sensitive personal information belonging to current and former employees.

 

Oracle E-Business Suite is a popular enterprise resource planning (ERP) system that large organisations use to manage key internal functions such as human resources, finance, and supply chain operations.

 

The organisation immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“During our investigation, we learned that Oracle had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorised actors to access many Oracle customers’ E-Business Suite applications. Our investigation confirmed that we were impacted by this exploit, and we discovered that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorisation,” The Post said.

 

The compromised data included  names, bank account numbers and associated routing numbers, Social Security numbers, and tax ID numbers. The filing with the Maine state regulator’s office also states that The Post has identified at least 9,720 individuals affected by the incident.

 

“We conducted a thorough investigation with the help of forensic experts, and promptly secured our systems and Oracle application environment, including by applying patches as soon as Oracle made them available,” The post added.

 

The company has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered one year of complimentary identity protection and credit monitoring services through IDX to all affected individuals.