The ransomware group Cl0p has reportedly claimed responsibility for a significant data breach involving the National Health Service (NHS) in the UK. On November 11, 2026, the group made an announcement on its dark web leak site, criticizing NHS for its perceived negligence in safeguarding customer data, stating, “The company doesn’t care about its customers; it ignored their security.”
While Cl0p has not disclosed the specific volume of stolen data, this development aligns with ongoing attacks related to vulnerabilities in Oracle’s E-Business Suite (EBS). Recent reports have indicated that Cl0p has been exploiting such vulnerabilities as part of its operations.
Officials from NHS have yet to confirm an actual breach; however, their cybersecurity division issued warnings in October regarding critical flaws affecting Oracle EBS. These alerts emphasized the urgent need for public sector entities relying on the software to implement immediate patches and manage their internet exposure appropriately. The timing of Cl0p’s announcement raises concerns that the group may have leveraged vulnerabilities already flagged by NHS.
The Washington Post
As investigations into the NHS claim unfold, Cl0p’s methods have already illustrated a broader impact. Just days prior, on November 7, the group announced that it had successfully breached The Washington Post by taking advantage of the same flaws in Oracle EBS.
The attackers reportedly published a cache of 183GB of data in a folder designated ebs.washpost.com. The Washington Post subsequently confirmed its exposure, acknowledging that it was among the entities affected by a “breach of the Oracle E-Business Suite platform.”
Insights from Security Experts
Cybersecurity experts have observed that the attack on The Washington Post aligns with Cl0p’s established pattern of large-scale data theft targeting enterprise-level software across various sectors. According to Lidia Lopez, a Senior Threat Intelligence Analyst at Outpost24, this incident emphasizes Cl0p’s strategic focus on high-value business systems rather than indiscriminate targeting.
Cl0p appears to have shifted its tactics from traditional ransomware deployment to coordinated data-exfiltration campaigns capitalizing on zero-day vulnerabilities in critical software, including Oracle EBS, MOVEit, and GoAnywhere. Unlike many affiliate-based ransomware operations, Cl0p’s centralized approach enables it to orchestrate simultaneous attacks on multiple organizations before security vendors release patches.
The group typically employs techniques such as scanning for vulnerable systems and establishing remote access to maintain prolonged access, allowing them to discreetly extract data over extended periods before issuing threats or making data public.
Faik Emre Derin, Technical Content Manager at SOCRadar, pointed out that the campaign focusing on Oracle EBS centers around CVE-2025-61882, a critical remote code execution vulnerability rated 9.8 on the CVSS scale. Analysis indicates that the exploitation of this flaw began as early as August 2025, well before Oracle issued an emergency patch on October 4. Attackers have concentrated on the BI Publisher Integration module, which permits unauthenticated access to susceptible systems.
The situation was exacerbated when another group, Scattered Lapsus$ Hunters, leaked proof-of-concept code on October 3, which facilitated an expansion of attacks globally, involving not only Cl0p but also other threat actors like FIN11. Organizations utilizing Oracle EBS are strongly advised to install the latest October 2025 patch without delay, conduct thorough forensic assessments, and watch for suspicious IP connections.
The repercussions of the ongoing campaign have also affected notable organizations, including Harvard University and Envoy, an American Airlines subsidiary. Investigators from Mandiant and Google’s Threat Intelligence Group have traced these activities back to late September 2025, targeting firms that heavily depend on Oracle EBS for finance, HR, and supply chain management. Despite Oracle’s release of patches addressing these vulnerabilities, many systems remain susceptible, leaving Cl0p and related groups with ongoing exploitation opportunities.
The inclusion of both NHS UK and The Washington Post as victims places Cl0p’s campaign among the most impactful enterprise software breaches in recent years. With the cataclysm of stolen data already circulating online and further victims likely to emerge, experts caution that the threat posed by unpatched Oracle systems persists.
