Former Washington Post worker files class action lawsuit over data breach affecting nearly 10,000 people

A former employee of the Washington Post filed a class action lawsuit after a data breach exposed the personal information of 9,720 current and former workers, alleging that the news organization failed to implement adequate cybersecurity protections. The complaint was submitted by Jun Hee Kim, who worked at the Post in 2018 and 2019, and seeks compensation and strengthened data security measures.

Kim is pursuing relief on behalf of employees, independent contractors, and contributors whose information was compromised, a group that included high-profile past contributors such as former National Security Adviser John Bolton. The lawsuit states that victims suffered financial harm resulting from the theft of personal data and are seeking reimbursement for identity theft and credit monitoring services, along with assurances that the organization will harden its systems to prevent future intrusions.

The Washington Post, a major U.S. media company with more than 3,000 employees and roughly 2.5 million digital subscribers, is among a large and growing group of organizations impacted by cyberattacks exploiting a zero-day vulnerability tracked as CVE-2025-61882. The flaw and additional weaknesses in Oracle’s E-Business Suite, an enterprise software platform used to manage financial, human resources, supply chain, and customer relationship management functions, enabled unauthorized access to customer accounts.

Security analysts from multiple research teams, including Google Threat Intelligence Group and Mandiant, identified the Cl0p ransomware group as claiming responsibility for attacks targeting Oracle E-Business Suite users. The exploited vulnerability allowed remote intrusion without authentication, and Oracle has since issued security patches.

The Post disclosed the breach last month, confirming it had joined other affected institutions, including Harvard University, Dartmouth College, Logitech, GlobalLogic, Broadcom, Mazda, and Humana. Notifications sent in November stated that a threat actor contacted the organization on September 29, claiming access to its Oracle applications. An internal investigation with external specialists determined that a widespread, previously unknown vulnerability in its Oracle E-Business Suite environment enabled the intrusion.

The findings showed that personal data was taken between July 10 and August 22. Confirmation on October 27 verified that information belonging to employees, former staff, and contractors had been stolen. The compromised data varied by individual and included names, bank account and routing numbers, Social Security numbers, and tax identification numbers.

The organization implemented Oracle’s fixes and began offering complimentary identity protection services through IDX, a consumer privacy and data breach response firm. Legal activity followed soon after the Post notified the state of Maine and began alerting affected individuals. Kim is represented by Migliaccio & Rathod LLP, one of several firms, including Strauss Borrelli PLLC, that opened inquiries into the breach and began identifying potential claimants.