Envoy Air, an American Airlines subsidiary, has confirmed that it was among the dozens of organizations compromised via Oracle E-Business Suite (EBS) security flaws, following claims by Clop extortionists that its parent company was one of its victims.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” an Envoy spokesperson told The Register.
“Upon learning of the matter, we immediately began an investigation and law enforcement was contacted,” the statement continued. “We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.”
The breach did not touch any American Airlines IT environments or data, nor did it impact Envoy’s flight or airport ground handling operations.
The spokesperson declined to comment on the criminals’ extortion demand.
On Thursday, Clop added American Airlines to its leak site, claiming to have broken into its systems. In a post seen by The Register and shared on social media, the extortion crew wrote: “The company doesn’t care about its customers, it ignored their security!!!”
Remember MOVEit?
While the fallout from the Oracle EBS heists continues to unfold, and we don’t yet know the total victim count, last week Google’s chief threat analyst said his team believes that “dozens” of organizations were affected, and that the intruders likely had a three-month head start on the defenders.
“Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register. “Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
Clop is probably best known for the attack on Progress Software’s MOVEit file transfer solution in 2023 that hit at least 2,773 organizations and more than 95 million individuals with major organizations such as the US Department of Energy, Xerox, Nokia, Bank of America, Morgan Stanley, and Amazon, among those whose data was exposed in the massive supply chain attack.
Attack timeline
The cybercrime mob’s latest attempt at a similar large-scale data theft came to light in September, when criminals claiming to be affiliated with Clop began bombarding execs at numerous organizations with extortion emails, claiming to have stolen sensitive data from their EBS environments.
On October 2, Oracle told customers that the thieves may have exploited security holes that were patched in July 2025 and recommended that they apply the latest critical patch updates.
Two days later, Oracle pushed an emergency patch for a zero-day bug in EBS, tracked as CVE-2025-61882, that Clop had already abused for data theft and extortion.
Researchers have found signs of Clop rummaging through Oracle customers’ EBS environments since at least August. According to Google’s threat hunters, the nefarious activity began a month earlier and may have ties to the Salesforce data thieves.
And if things weren’t already bad enough for Big Red, earlier this week, Oracle pushed another emergency patch for its EBS.
It’s tracked as CVE-2025-61884, received a CVSS score of 7.5, and affects the Runtime UI component. Oracle’s advisory warns that the flaw can be exploited remotely without authentication and “may allow access to sensitive resources.” ®