Executive Summary
- The Washington Post disclosed a data breach affecting 9,720 current and former employees and contractors.
- The incident was an external hack of the company’s Oracle E-Suite system that exposed names and other personal identifiers.
- The breach occurred on July 10, 2025, but was not discovered until October 27, 2025.
- Affected individuals are being offered 12 months of complimentary identity protection services through IDX.
The Washington Post has disclosed a data breach that exposed the personal information of 9,720 current and former employees and contractors. The incident originated from a security compromise of the company’s Oracle E-Suite enterprise resource planning (ERP) system, according to official notifications filed with state regulators.
The breach notification, submitted to the Maine Attorney General’s office, states the incident was an external hacking event that occurred on July 10, 2025. However, the breach was not discovered by the news organization until more than three months later, on October 27, 2025. The attackers reportedly gained access to a combination of names and other personal identifiers, heightening the risk of identity theft for those affected.
In response to the incident, The Washington Post began issuing written notices to all impacted individuals on November 12, 2025. The company is offering 12 months of complimentary identity protection and credit monitoring services through the provider IDX to help mitigate potential harm from the data exposure.
This event underscores the security vulnerabilities associated with complex third-party enterprise software. News organizations, which manage sensitive data related to sources, employees, and business partners, continue to be significant targets for cybercriminals. Security experts consistently advise organizations to implement robust monitoring and rapid incident detection protocols for their ERP systems to minimize exposure and organizational risk.