Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact

Summary

The Cl0p ransomware group has claimed responsibility for a campaign exploiting zero-day vulnerabilities in Oracle E-Business Suite, compromising over 100 organizations across multiple sectors. Four major corporations—Broadcom, Bechtel, Estée Lauder, and Abbott—remain publicly silent on their potential involvement despite being listed on the Cl0p leak site with significant data volumes (2TB+ for Broadcom, 870GB for Estée Lauder) allegedly stolen and published.

Full text

Several global giants listed as victims of the recent hacking campaign targeting Oracle E-Business Suite (EBS) customers have remained mum on the impact of the cybersecurity incident. The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved exploiting zero-day vulnerabilities to access data stored by organizations in Oracle’s enterprise management software. The compromised data was then leveraged for extortion. While Cl0p serves as the public-facing extortion brand for the campaign, the cybersecurity community believes the operation may have been driven by a cluster of threat actors, most notably FIN11. The hackers have listed more than 100 alleged victims of the Oracle EBS campaign on the Cl0p leak website, including organizations in sectors such as technology, telecommunications, software, heavy industry, manufacturing, engineering, retail, consumer goods, energy, utilities, media, finance, and entertainment. For most of the victims, the cybercriminals published torrent files pointing to information allegedly stolen from their systems. This indicates that these victims have refused to pay a ransom. A majority of the large organizations targeted in the campaign have issued a public statement confirming a data breach. Many claimed that the impact of the incident is limited, but still notified affected individuals about the potential risks.Advertisement. Scroll to continue reading. However, a handful of very large companies do not appear to have issued any public statements on the matter, neither to confirm nor deny being hit, nor even to say that an investigation is being conducted. This includes semiconductor and infrastructure software company Broadcom, engineering and construction firm Bechtel, cosmetics group Estée Lauder Companies, and medical devices and healthcare solutions provider Abbott Laboratories. They were all listed on the Cl0p website on or around November 20, 2025. It may take several months and even as much as a year for companies to investigate data breaches and determine their full extent. However, major companies typically acknowledge at least that an investigation is ongoing. Broadcom, Bechtel, Estée Lauder, and Abbott have not responded to repeated requests for comment. Data leaked by hackers SecurityWeek has not downloaded any of the leaked data, but has conducted a brief metadata and file-tree analysis of data allegedly obtained from some of the larger companies named on the Cl0p website and found that the files indeed originate from an Oracle EBS environment. In the case of Broadcom, the cybercriminals made public more than 2TB of archives allegedly storing files stolen from the company. The Estée Lauder torrent file points to 870GB of archive files. At the time of writing, the torrents pointing to Bechtel and Abbott files are still available, but no data could be retrieved for analysis. However, that does not mean the files are no longer accessible to cybercriminals, as they may also be circulated privately on underground forums. On the one hand, cybercrime groups like Cl0p frequently exaggerate the scope of their breaches, prompting many companies to quickly issue statements denying or downplaying the allegations to reassure customers and stakeholders that any impact was limited. Moreover, if no regulated data (such as health information, Social Security numbers, or payment details) was compromised, companies face no legal obligation to disclose the incident publicly. If the breach did not qualify as material, there is also no requirement under SEC rules to report it to investors. On the other hand, some organizations may deliberately maintain silence for strategic, PR, and legal reasons. Even acknowledging an ongoing investigation could invite lawsuits, short-seller pressure, or additional regulatory scrutiny. Related: Michelin Confirms Data Breach Linked to Oracle EBS Attack Related: Loblaw Data Breach Impacts Customer Information Related: Starbucks Data Breach Impacts Employees Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and ShippingAuthorities Disrupt SocksEscort Proxy Service Powered by AVrecon BotnetApple Updates Legacy iOS Versions to Patch Coruna ExploitsMeta Launches New Protection Tools as It Helps Disrupt Scam CentersPolyfill Supply Chain Attack Impacting 100k Sites Linked to North KoreaMedTech Giant Stryker Crippled by Iran-Linked Hacker AttackWiz Joins Google Cloud as Landmark Acquisition ClosesOpenAI to Acquire AI Security Startup Promptfoo Latest News Security Firm Executive Targeted in Sophisticated Phishing AttackChina-Linked Hackers Hit Asian Militaries in Patient Espionage OperationThreat Actor Targeting VPN Users in New Credential Theft CampaignForceMemo: Python Repositories Compromised in GlassWorm AftermathHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationCritical HPE AOS-CX Vulnerability Allows Admin Password ResetsStarbucks Data Breach Impacts Employees Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveThe US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM.Business software company Rippling has appointed Adrian Ludwig as CSO.Orca Security has named Rachel Nislick as Chief Marketing Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Cl0p
• mitre_attack — FIN11
• cve — Oracle EBS zero-day vulnerabilities