Cox Enterprises has officially confirmed that its Oracle E-Business Suite (EBS) system was compromised as part of a recent, widespread cybercrime operation that has impacted numerous organizations. Initially silent when listed as a victim on the Cl0p ransomware leak site in late October, the company later verified the targeting in a report to the Maine Attorney General last week. The breach occurred between August 9 and August 14, and the company stated that the attackers successfully obtained personal information belonging to approximately 9,500 people.
The conglomerate, which operates in communications, automotive services, and agriculture, has not clarified which specific business divisions were affected by the data breach. Consequently, it remains unknown whether the compromised records belong to employees, customers, partners, or a mix of these groups. The cybercriminals responsible for the attack have since published a substantial 1.6 Terabytes of archived files, which they claim contain data stolen from Cox.
The list of organizations identified on the Cl0p leak website, all allegedly victims of the Oracle EBS campaign, has surpassed 100. Roughly half of these are significant companies spanning diverse and critical sectors. These include IT, telecommunications, healthcare and pharmaceuticals, heavy industry, manufacturing, automotive and transportation, retail, energy and utilities, and media. Several major entities, such as Logitech, The Washington Post, Harvard University, Mazda, and American Airlines subsidiary Envoy Air, have already publicly acknowledged that they were targeted. However, a number of other large firms listed, including Schneider Electric, Emerson, Broadcom, and Michelin, have not yet responded to inquiries regarding their status.
While Cl0p has been the public-facing entity claiming responsibility for the Oracle EBS attacks, the broader cybersecurity community has attributed the operation to a distinct threat actor cluster tracked as FIN11. This group is also associated with previous, similar high-profile cyberattacks that targeted customers utilizing various file transfer solutions, notably Cleo, MOVEit, and Fortra products. This consistent methodology suggests a recurring and organized campaign strategy.
Historically, organizations are typically only listed on the Cl0p website if they have indeed been breached. However, it is a common tactic for threat actors to dramatically overstate the actual scope or severity of a data breach. This exaggeration is often employed as a pressure mechanism to coerce the affected victims into paying a ransom. For instance, the United Kingdom’s National Health Service (NHS) has confirmed that it is currently investigating the incident but has not yet confirmed a successful data breach.
Reference:
