American Airlines subsidiary Envoy Air has confirmed being impacted by the recent cybercrime campaign targeting organizations that use Oracle’s E-Business Suite (EBS) enterprise management solution.
American Airlines was listed late last week on the Tor-based leak website of the Cl0p ransomware group. The Oracle EBS campaign has been claimed in the name of Cl0p and it has been linked to a cybercrime group known as FIN11.
At the time of writing, the cybercriminals have made public the allegedly stolen American Airlines data, which totals more than 26 GB of archive files.
While the hackers named American Airlines on their leak website, it appears that in reality they targeted an Oracle EBS instance used by Envoy Air.
Texas-based Envoy Air describes itself as the largest regional carrier for American Airlines, with over 800 daily flights to more than 160 destinations under the American Eagle brand.
In a statement to the media, Envoy confirmed being impacted by the Oracle EBS campaign, but the company said its investigation has shown that customer or other sensitive data was not compromised.
Envoy admitted that “a limited amount of business information and commercial contact details may have been compromised”.
Harvard University was the first confirmed victim of the Oracle EBS hack. Other organizations have since been listed on the Cl0p leak website, including South Africa’s University of the Witwatersrand, Johannesburg.
The South African university confirmed in a statement posted on its website that it has been targeted, and said it’s working on determining what data was compromised as a result of the attack. The hackers have already made public the files allegedly stolen from the University of the Witwatersrand.
The Cl0p site also lists industrial giant Emerson, but no data has been leaked at the time of writing. SecurityWeek has reached out to Emerson for comment.
Dozens of victims of the Oracle EBS campaign have received extortion emails from the attackers. The organizations that are now being listed on the Cl0p website are likely those that have refused to pay a ransom.
While the Oracle campaign has been linked to Cl0p and FIN11, it’s worth pointing out that Google’s Mandiant tracks several threat clusters under the FIN11 umbrella, and it’s unclear exactly which cluster is behind the attack.
It’s also unclear which Oracle EBS vulnerabilities have been exploited in the attack. Oracle initially said known flaws patched in July were involved, and later announced patches for a zero-day (CVE-2025-61882) apparently exploited in the campaign. The software giant has also fixed CVE-2025-61884, another EBS flaw exposing sensitive data, but has not clarified whether it has also been exploited.
Related: F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts
Related: Microsoft Revokes Over 200 Certificates to Disrupt Ransomware Campaign
Related: Hackers Steal Sensitive Data From Auction House Sotheby’s
