Cox Enterprises Confirms Oracle E-Business Suite Breach Affecting Nearly 9,500 Individuals

Cox Enterprises has confirmed it was impacted in the widespread cybercrime campaign targeting Oracle E-Business Suite (EBS) customers, adding its name to a growing list of major organizations affected by this coordinated attack. The breach, first publicly hinted at on the Cl0p ransomware group’s leak site in late October, was officially acknowledged last week in a filing with the Maine Attorney General.

What Cox Has Confirmed So Far

According to Cox, attackers gained unauthorized access to its Oracle EBS environment between August 9 and August 14, obtaining personal information belonging to nearly 9,500 individuals. The company has not disclosed which business units were affected—Cox operates in communications, automotive services, and agriculture—nor has it specified whether the stolen data pertains to employees, customers, or business partners.

Threat actors have already published 1.6 terabytes of archives they claim were taken from Cox, though the extent and relevance of those files are still unclear.

A Growing List of Global Victims

Cox is only one among over 100 organizations now listed on the Cl0p leak site as victims of the Oracle EBS breach campaign. Nearly half of these organizations operate in high-value or highly targeted sectors, including:

• Information technology and telecommunications

• Healthcare and pharmaceuticals

• Automotive, transportation, and manufacturing

• Energy, utilities, and retail

• Media and publishing

Several well-known brands—such as Logitech, The Washington Post, Harvard, Mazda, and Envoy Air (a subsidiary of American Airlines)—have confirmed they were affected.

Others, however, have not responded publicly to inquiries, including Schneider Electric, Emerson, Broadcom, Canon, Michelin, Entrust, LKQ Corporation, Pan American Silver, and others. The UK’s National Health Service (NHS) has acknowledged that an investigation is ongoing but has not confirmed a data breach.

Who Is Behind the Oracle EBS Campaign?

While Cl0p is the group publicly claiming responsibility, cybersecurity researchers widely assess that the attacks align with the activity of FIN11, a financially motivated threat actor known for large-scale data theft and extortion. FIN11 has previously been linked to high-impact incidents involving Cleo, MOVEit, and Fortra file transfer products.

Their tactics often involve:

• Attacking widely used enterprise software

• Exfiltrating large volumes of data

• Threatening public disclosure to extort victims

This campaign appears consistent with those methods.

Looking Ahead: What Organizations Should Know

Historically, organizations listed on Cl0p’s site are rarely added without some form of compromise. However, researchers caution that the group may exaggerate breach scope to increase pressure on victims.

Key Takeaways

• Oracle EBS customers should review their environments for indicators of compromise.

• Organizations should confirm whether their EBS systems were patched and properly segmented during the attack window.

• Any entity listed on a ransomware group’s site should conduct a full forensic review, regardless of whether data exposure is initially confirmed.

The Cox incident underscores the continued targeting of widely deployed enterprise systems—and the cascading impact when a single technology becomes the center point of a global attack campaign.