A class action lawsuit alleges The Washington Post failed to protect the personal and financial data of approximately 10,000 employees and contractors after a cyberattack exploited a vulnerability in Oracle E-Business Suite. The breach went undetected for over three months before affected individuals were notified. For more class action news, visit OpenClassActions.com.
What Happened?
According to the complaint filed in Kim v. WP Company LLC d/b/a The Washington Post, an unauthorized party gained access to The Washington Post’s systems through a vulnerability in Oracle E-Business Suite — the enterprise software the newspaper uses to manage payroll and human resources functions. The intrusion occurred between July 10 and August 22, 2025, but was not discovered until approximately October 27, 2025. Affected employees and contractors were not notified until November 12, 2025.
What Data Was Exposed?
- Employee names and Social Security numbers
- Bank account and routing numbers used for direct deposit
- Dates of birth
- Home addresses
- Employment identification numbers
What Are the Legal Claims?
The complaint, filed December 4, 2025 in the U.S. District Court for the District of Columbia, alleges that The Washington Post failed to implement reasonable cybersecurity measures, failed to timely detect the unauthorized access despite it lasting more than six weeks, and delayed notification to affected individuals for an additional seven weeks after discovery. The lawsuit seeks damages for the heightened risk of identity theft and the costs associated with monitoring and protecting compromised financial accounts.
| Detail | Information |
| Case | Kim v. WP Company LLC d/b/a The Washington Post |
| Court | U.S. District Court, District of Columbia |
| Filed | December 4, 2025 |
| Breach Window | July 10 – August 22, 2025 |
| Individuals Affected | ~10,000 employees and contractors |
| Status | Active litigation |
Who Is Affected?
Current and former employees and contractors of The Washington Post whose payroll and HR data was processed through the compromised Oracle E-Business Suite system may be affected. If you received a breach notification letter from The Washington Post in late 2025, your data was likely part of this incident.
This page is for informational purposes and does not constitute legal advice. Visit OpenClassActions.com for more open class actions.
Related Data Breach Cases on OpenClassActions
- Coinbase Employee Data Breach Customer Information Class Action Lawsuit
- Forever 21 Employee Data Breach Class Action Settlement
- Rumpke $750,000 Employee Data Breach Class Action Settlement
- Advance Auto Parts Employee Data Breach Class Action Settlement
- Madison Square Garden Data Breach — Oracle E-Business Suite Vulnerability Exposes Employee SSNs