Threat actors aligned with the Clop ransomware group are claiming to have stolen sensitive data from Oracle Corp.’s E-Business Suite and, though Oracle has yet to confirm a breach, customers are reportedly receiving payment demands not to publish the stolen data.
The campaign involving the allegedly stolen data first surfaced in late September, when executives at multiple companies began receiving emails alleging that attackers had exfiltrated financial and operational data from their Oracle EBS systems.
The emails, sent from hundreds of compromised third-party accounts, threatened to publish or sell the data unless victims agree to pay large sums, in some cases reaching as high as $50 million. In the emails, the attackers offer proof of compromise, including file tree listings and screenshots.
Security researchers say the emails use contact addresses tied to Clop’s leak site, suggesting either direct involvement or impersonation of the notorious group. Clop and its affiliates do have a history of using high-profile enterprise software vulnerabilities to pressure victims into multimillion-dollar payouts, including last year’s MOVEit file transfer hacks.
Oracle confirmed that it’s aware of the extortion messages and is assisting affected customers but has not confirmed whether data theft actually occurred.
Rob Duhart, chief security officer at Oracle Security, said in a blog post that vulnerabilities patched in its July 2025 Critical Patch Update could be possible entry points. Oracle fixed more than 300 issues across its products in the release, including nine affecting EBS, with some of the vulnerabilities having the potential to be exploited remotely without authentication.
Investigators from Mandiant and other threat intelligence firms are tracking the campaign, but so far no evidence has been published to validate the scale of the alleged breach.
“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Charles Carmakal, consulting chief technology officer at Mandiant, told CyberScoop. “The malicious emails contain contact information and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site.”
With no solid confirmation of a breach, some analysts warn that the campaign could be a bluff designed to create panic among organizations that run EBS, which underpins critical functions such as finance, supply chain and human resources. If real, though, the potential impact if the hacking claims are accurate would be severe, exposing sensitive corporate data across multiple industries.
Dr. Chris Pierson, a former Department of Homeland Security cybersecurity official and chief executive of digital executive protection firm BlackCloak Inc., told News via email that “extortion attempts like this highlight the reality that executives are increasingly being singled out as the soft underbelly of the corporation for cybercriminals.”
“Cybercriminals recognize that targeting the C-suite creates urgency, exposes them to high risk and instills fear that can lead to other issues,” said Pierson. “The challenge for organizations is twofold: hardening the systems that store the most sensitive corporate data and ensuring executives are prepared with the right playbook when extortion attempts land in their inbox.”
Third-party vendor risks will continue to be a favorite target of cybercriminals, he added, “and we’ve seen a marked increase in these systems being targeted because they yield information on not one company, but hundreds or thousands of companies. The companies that come out ahead are those that treat digital executive protection as part of their overall cybersecurity posture rather than an afterthought.”
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
