Washington Post Accused of Failing to Protect Employee Data in Major Cyberattack

Case Overview: A lawsuit claims the Washington Post failed to secure employee data exposed in a large-scale cyberattack.

Consumers Affected: Nearly 10,000 current and former Washington Post employees.

Court: U.S. District Court for the District of Columbia

The Washington Post has been hit with legal action from a former employee after a cyberattack earlier this year exposed personal information belonging to nearly 10,000 current and former employees. 

Former staffer Jun Hee Kim filed the proposed class action lawsuit claiming the newspaper giant failed to put reasonable security measures in place, leaving workers vulnerable to identity theft and financial harm, Politico reports.

The breach occurred when hackers exploited a previously unknown flaw in Oracle’s E-Business Suite, a core business-management platform used by the Post. Attackers gained unauthorized access between July and August, pulling sensitive data ranging from names and Social Security numbers to bank account and routing details. 

The Post confirmed the scope of the breach in late October and notified those affected the following month.

Former Employee Says the Newspaper Ignored Security Risks

Kim, who worked at the Post from 2018 to 2019, alleges the company failed to properly secure employee information and respond swiftly enough to protect staff once the breach was discovered. 

She argues in the lawsuit that affected workers have suffered financial losses, heightened risk of identity theft, and ongoing uncertainty about how their information might be used. Because of that, she said they are entitled to monetary damages, identity protection, and a court order requiring the Post to strengthen its data-security protocols.

Stolen Data Includes Financial and Tax Information

The Washington Post says it learned of the intrusion in late September when a hacker claimed to have accessed its Oracle systems. A forensic review confirmed that attackers had taken advantage of a large-scale software vulnerability affecting numerous organizations worldwide. The company patched its systems, applied Oracle’s fixes, and launched an internal investigation to determine the extent of the compromise.

According to disclosures, the stolen data varied by individual but may include tax ID numbers, bank details, employment information, and other identifying records. The newspaper is offering two years of complimentary identity protection services through IDX to anyone affected.

Wider Cyberattack Tied to Global Ransomware Campaign

The Washington Post is far from the only company affected by a flaw in Oracle’s E-Business Suite, which was targeted by the Clop ransomware gang. The group ran a sweeping extortion campaign against companies and universities across the U.S. and abroad. 

Victims reportedly include Harvard, Dartmouth, Mazda, Logitech, Hitachi, Broadcom, Envoy Air, and Humana. Oracle released a patch in November 2025, but by then, attackers had already siphoned data from dozens of high-profile institutions, according to Cybersecurity Insiders.

The lawsuit against the Post joins a growing list of legal actions tied to major cyberattacks. Air France and the University of Pennsylvania are among the latest organizations accused of failing to protect personal information now circulating online.

Has your employer ever been hit by a data breach? Tell us how it affected you in the comments.