Envoy Air, a subsidiary of American Airlines, has confirmed that it was affected by the recent wave of cyberattacks exploiting Oracle’s E-Business Suite (EBS) enterprise platform.
Late last week, American Airlines appeared on the dark web leak portal operated by the Cl0p ransomware group, which has claimed responsibility for the ongoing Oracle EBS campaign. The operation has been associated with the financially motivated FIN11 threat group.
According to reports, the attackers published what they claim to be over 26 gigabytes of stolen data from American Airlines. However, further investigation suggests that the actual target was an Oracle EBS instance managed by Envoy Air, rather than American Airlines itself.
Headquartered in Texas, Envoy Air serves as the largest regional carrier under the American Eagle brand, operating more than 800 daily flights to over 160 destinations.
In a public statement, the company acknowledged being affected by the Oracle EBS campaign but clarified that its internal investigation found no evidence of customer or sensitive personal data exposure. Envoy did note, however, that “a limited amount of business-related information and commercial contact details” may have been accessed during the intrusion.
The first confirmed organization impacted by the Oracle EBS breach was Harvard University, followed by others such as the University of the Witwatersrand in Johannesburg, South Africa. The South African institution also confirmed the incident on its official website and stated that it is still determining the extent of data compromised, though stolen files have already surfaced online.
The Cl0p leak site additionally lists industrial manufacturer Emerson among its victims, though no data from the company has been released publicly at this time.
Cybersecurity researchers have observed that dozens of organizations targeted in the Oracle EBS attacks have received extortion demands, and those now appearing on Cl0p’s leak platform are likely the ones that refused to pay ransom.
While the campaign is attributed to both Cl0p and FIN11, analysts at Google’s Mandiant note that multiple threat clusters operate under the FIN11 umbrella, and it remains unclear which specific subgroup executed these breaches.
The precise vulnerabilities leveraged in the Oracle EBS exploitation remain uncertain. Oracle initially stated that the attackers took advantage of previously known flaws addressed in July patches, but later confirmed that a zero-day vulnerability (CVE-2025-61882) had also been exploited. The company has since released an additional fix for another flaw, CVE-2025-61884, which could expose sensitive information, though it has not been confirmed whether that issue was similarly abused in these attacks.