A significant security issue has emerged. According to The Washington Post, their system was compromised due to a vulnerability in Oracle’s E-Business Suite (EBS). Now, the NHS (National Health Service, UK) is also reviewing if they were compromised in the same way.
The Post looked into the matter and confirmed that they indeed were hacked. The hackers exploited a zero-day vulnerability (CVE-2025-61884) to gain access to a portion of their network.
Roughly 10,000 employees, both current and former, were affected by the exposure of their personal information.
The leaked personal information included:
While The Washington Post has not named them specifically, Clop asserted that they exploited the same Oracle vulnerability against multiple companies.
This suggests this is bigger than one company.
If your company is running Oracle EBS, instruct your IT group to implement the latest security patch as quickly as possible.
This attack serves as a wake-up call for the importance of keeping systems up to date, specifically when zero-day bugs are involved.
What Happened at The Washington Post
In September of this year, criminal hackers said they hacked the Washington Post’s Oracle cloud application.The Post looked into the matter and confirmed that they indeed were hacked. The hackers exploited a zero-day vulnerability (CVE-2025-61884) to gain access to a portion of their network.
Roughly 10,000 employees, both current and former, were affected by the exposure of their personal information.
The leaked personal information included:
- Names
- Bank account numbers
- Routing numbers
- Social Security numbers
- Tax ID numbers
Who is Responsible?
According to the infamous ransomware group Clop, they are responsible.While The Washington Post has not named them specifically, Clop asserted that they exploited the same Oracle vulnerability against multiple companies.
This suggests this is bigger than one company.
Why is the NHS Investigating?
Experts believe the NHS may also be affected by the same Oracle vulnerability. If so, this puts staff or patient data at risk. This raises the stakes even higher by risking the healthcare system.Why Does this Matter?
- Zero-day vulnerabilities are dangerous because no one knows about them pre-attack.
- Oracle EBS is a widely used technology for managing HR, salary, and finance, therefore, hacking groups like to attack it.
- Hackers attacking high-profile businesses such as The Washington Post (and possibly NHS) is an indicator of the range of spread for this attack
- Despite The Post's quick remediation, sensitive data of many individuals is already compromised.
What You Should Do
If you are an employee who received a notice from The Post, sign up for the free identity protection.If your company is running Oracle EBS, instruct your IT group to implement the latest security patch as quickly as possible.
This attack serves as a wake-up call for the importance of keeping systems up to date, specifically when zero-day bugs are involved.
