According to TechCrunch, The Washington Post confirmed it was affected by hacking campaigns tied to Oracle’s corporate software apps, specifically the Oracle E-Business Suite platform. The ransomware gang Clop began targeting companies in late September by exploiting multiple vulnerabilities in Oracle’s business software, which companies use for HR files and sensitive operations data. Google reported last month that the exploits allowed hackers to steal customer business data and employee records from more than 100 companies. Corporate executives started receiving extortion messages from email addresses associated with Clop, claiming they had stolen large amounts of sensitive internal data. Anti-ransomware firm Halcyon said hackers demanded one executive pay $50 million in ransom. On Thursday, Clop claimed on its website that it hacked The Washington Post, using language that typically indicates the victim hasn’t paid.
Oracle’s questionable response
Here’s the thing that really bothers me about this situation. When TechCrunch reached out to Oracle spokesperson Michael Egbert, he just referred them to existing advisories and didn’t answer any questions. Basically, Oracle’s playing the “we already told you about this” card while major organizations continue getting compromised. They published those security updates and an alert about CVE-2025-61884, but clearly that wasn’t enough. And we’re talking about business-critical software here – the kind that handles everything from payroll to sensitive corporate data. When companies rely on enterprise software providers, they expect better security than this.
The widening circle of victims
This isn’t just about The Washington Post. We’re seeing a pattern emerge where multiple major organizations are confirming they’ve been hit. Harvard University has acknowledged a “limited number” of people were affected by data theft linked to these Oracle hacks. American Airlines subsidiary Envoy also confirmed it experienced Oracle data theft. The Clop gang has been publicly boasting about their Washington Post hack as a pressure tactic. And honestly, that’s becoming their signature move – when victims don’t pay up, they go public with the stolen data. Harvard’s situation and the Envoy breach show this is far from isolated. We’re probably looking at just the tip of the iceberg here.
The uncomfortable truth about corporate security
So what does this tell us? That even major, well-resourced organizations using enterprise software from giants like Oracle can get completely owned. The hackers aren’t just going after small businesses – they’re targeting the big players who presumably have decent security budgets. And they’re hitting them through their business applications, the very software that’s supposed to help run their operations securely. It makes you wonder – if organizations like The Washington Post and Harvard can’t protect their Oracle installations, what chance do smaller companies have? This is exactly why companies need to seriously evaluate their enterprise software security posture, especially when it involves critical business operations.
