Nearly 10,000 staff and contractors warned after attackers raided newspaper's Oracle EBS setup

The Washington Post has confirmed that nearly 10,000 employees and contractors had sensitive personal data stolen in the Clop-linked Oracle E-Business Suite (EBS) attacks.

In a filing with Maine's attorney general, submitted on November 12, the Post details how the newspaper was contacted by a "bad actor" on September 29 who claimed to have breached its Oracle EBS environment.

An internal investigation later confirmed the intruder's claims and tied the access to the previously unknown Oracle EBS vulnerability that cybercriminals have exploited across multiple organizations. The Clop ransomware gang has claimed responsibility for those attacks, posting dozens of alleged victims on its dark web leak site.

According to the Post's notice, attackers accessed and exfiltrated data between July 10 and August 22.

The newspaper determined on October 27 that the stolen information included names, bank account and routing numbers, Social Security numbers, and tax ID numbers ...