Automotive parts supplier LKQ Corporation has confirmed it was impacted by a broader cybercrime campaign targeting Oracle E-Business Suite (EBS) customers.

The incident resulted in the compromise of personal information belonging to more than 9,000 individuals, primarily sole proprietor suppliers. The breach appears limited to LKQ’s Oracle EBS environment and is part of a well-documented extortion campaign attributed to the Cl0p ransomware group.

Oracle E-Business Suite is a widely deployed enterprise resource planning (ERP) platform used for finance, supply chain management, and procurement.

Over the past year, Cl0p has repeatedly targeted vulnerabilities in enterprise software ecosystems, focusing on third-party platforms that aggregate sensitive business data. The group’s strategy centers on data theft and extortion rather than system-wide encryption.

LKQ, a Fortune 500 company serving automotive, commercial, and specialty vehicle markets, joins a growing list of organizations named publicly on Cl0p’s leak site.

LKQ confirmed it was targeted in the Oracle EBS campaign after being listed on Cl0p’s extortion portal in late October.

According to a notification submitted to the Maine Attorney General’s Office, LKQ began investigating suspicious activity on October 3 and concluded its assessment on December 1.

The company determined that attackers accessed data associated with sole proprietor suppliers, exposing information such as names, Employer Identification Numbers (EINs), and Social Security numbers.

LKQ stated that there is no evidence its internal systems were compromised outside of the Oracle E-Business Suite environment.

The Cl0p campaign targeting Oracle EBS is believed to involve exploitation of vulnerabilities in internet-facing application components or misconfigured access controls.

Once access is obtained, attackers exfiltrate large volumes of sensitive data stored within ERP systems. In LKQ’s case, the threat actors reportedly stole several terabytes of files from its EBS instance.

Rather than encrypting systems, Cl0p leverages stolen data as extortion pressure, publishing samples and offering full datasets for download when ransom demands are not met.

More than 9,000 individuals were affected, primarily small business suppliers whose personal identifiers were stored within LKQ’s procurement systems.

Exposure of EINs and Social Security numbers presents a long-term risk of identity theft and financial fraud.

Operationally, LKQ reported no broader system disruption, but reputational and regulatory implications remain, particularly as data has already been released publicly.

This incident highlights the growing risk concentration within enterprise platforms that centralize sensitive data across large supplier and partner ecosystems.

Even when core corporate networks remain intact, breaches of third-party business systems can result in significant downstream exposure for individuals and small businesses.

The case reinforces the need for continuous monitoring, segmentation, and rapid patching of ERP environments.

Cl0p’s continued focus on ERP and managed file transfer platforms reflects a strategic shift toward high-value, low-noise extortion operations.

By exploiting shared enterprise infrastructure, attackers can compromise thousands of records without deploying ransomware or triggering immediate operational alarms.