An ex-Washington Post employee reportedly is suing the news organization in the wake of a data breach the exposed the personal data of almost 10,000 current and former workers, saying the company failed to put adequate protections in place.

According to Politico, Jun Hee Kim, who worked at the Post in 2018 and 2019, filed a class action lawsuit that includes the 9.720 people potentially victimized by the hack, which includes not only employees but also independent contractors and contributors, who reportedly included former National Security Adviser John Bolton.

Kim reportedly in the lawsuit claims the data breach at the storied news outlet was the result of the Post failing to “implement adequate and reasonable cybersecurity procedures and protocols.” He also says he and other victims have suffered financially due to their data being stolen and that they want the Post to compensate them for identity theft and monitoring services.

He also is demanding that the news organization hardened its data security.

Growing List of Victims

The Post, which has more than 3,000 employees and about 2.5 million digital subscribers – is among a growing number of victims – with some estimates closing in on 100 companies – stemming from a threat group’s exploitations of a zero-day critical vulnerability (tracked as CVE-2025-61882) and other security flaws in Oracle’s E-Business Suite (EBS), a collection of enterprise software used to manage business functions like financials, human resources, supply chain, and customer relationship management (CRM).

Security researchers, including those from Google Threat Intelligence Group and Google’s Mandiant business, in October wrote in a report that the notorious Cl0p ransomware group was taking credit for the attacks on the Oracle EBS software and was sending extortion emails to corporate executives.

The vulnerabilities have allowed bad actors to access the accounts of EBS customers. CVE-2025-61882 can be exploited remotely without the need for authentication, according to Oracle, which issued fixes.

Vulnerabilities Detected

The Post reported its data breach last month, joining a list of victims that include higher education institutions like Harvard University and Dartmouth College and corporations, such as Logitech, Hitachi subsidiary GlobalLogic, Broadcom, Mazda, and Humana.

In notices sent out in November to victims, the Post wrote that it was contacted by a threat actor on September 29 claiming to have gained access to its Oracle EBS applications. An investigation by the news organizations and “experts” detected a “previously unknown and widespread vulnerability” in its Oracle EBS software that allowed for unauthorized access.

The investigation found that the bad actor stole personal data between July 10 and August 22, and the Post confirmed October 27 that personal information of employees – both current and former – and contractors was stolen. The data varies by victim, but could include names, bank account numbers and associated routing numbers, Social Security numbers, and tax ID numbers.

Fixes Applied

The Post applied the fixes issued by Oracle and is providing victims with complementary ID protection services via data breach response and consumer privacy services firm IDX.

Kim, the former Post employee, is being represented by Migliaccio & Rathod LLP, one of a number of law firms – another being data breach specialist Strauss Borrelli PLLC – that launched an investigation into the data breach and a search for possible victims days after the newspaper notified the state of Maine about the breach and began sending out notices to impacted individuals.