Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” Envoy Air told BleepingComputer.
“Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.”
Envoy Air is a subsidiary of American Airlines and operates regional flights under the American Eagle brand. While it functions as a separate company, it is integrated into American’s network for ticketing, scheduling, and passenger service.
The Clop ransomware gang is now leaking what they claim to be the data stolen from Envoy on its data leak site, stating, “The company doesn’t care about its customers, it ignored their security!!!”
This new security incident is related to an August data theft campaign conducted by the Clop extortion group, which began emailing extortion demands to companies in September, claiming to have stolen data from Oracle E-Business Suite systems.
While Oracle initially stated that the threat actors were exploiting vulnerabilities patched in July, the company later disclosed that the extortion gang exploited a zero-day flaw tracked as CVE-2025-61882 in the attacks.
CrowdStrike and Mandiant later revealed that Clop exploited the flaws in early August to breach systems and deploy malware.
While Clop would not share how many companies were impacted by the data theft attacks, Google’s John Hultquist told BleepingComputer via email that they believe that dozens of organizations were affected.
The Clop gang is also extorting Harvard University as part of this same data theft campaign, with the university confirming to BleepingComputer that the incident impacts a “limited number of parties associated with a small administrative unit.”
Last week, Oracle silently patched another E-Business Suite zero-day tracked CVE-2025-61884 without disclosing that it was actively exploited in July 2025.
This zero-day is linked to an exploit leaked by the Shiny Lapsus$ Hunters extortion group on Telegram.
American Airlines previously suffered data breaches in 2022 and 2023 that exposed employees’ personal information.
Who is Clop?
The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 when it began breaching corporate networks to deploy a variant of the CryptoMix ransomware and steal data.
Since 2020, the extortion gang shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data.
Some of their attacks using zero-day flaws include:
The U.S. State Department currently offers a $10 million reward for information linking Clop’s ransomware activities to a foreign government.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
-
-
-
-
-
