Envoy Air Data Breach (2025)

"Envoy Air, the largest regional carrier and a wholly owned subsidiary of American Airlines, has confirmed that it fell victim to a recent data theft campaign orchestrated by the notorious cybercriminal group Clop. The attack exploited vulnerabilities within the company's Oracle E-Business Suite (EBS) application, a system used by dozens of organizations worldwide. The confirmation comes shortly after the Clop gang added American Airlines to its public leak site, claiming to have stolen data. American Airlines clarified that the incident was specific to its subsidiary, Envoy Air. Limited Data Compromised, Customers Unaffected In its official statement, Envoy Air confirmed the compromise but sought to reassure customers that sensitive passenger data was not involved. The company noted the breach was isolated to Envoy’s Oracle E-Business Suite application and did not affect any of American Airlines' core IT environments or data. More importantly, the company confirmed the incident had no impact on customer data, flight, or airport ground handling operations. "We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected," the company wrote, adding that "A limited amount of business information and commercial contact details may have been compromised." Clop exploited Oracle zero-day flaws The attack on Envoy Air is part of a high-volume extortion spree that began as early as August 2025, in which the Clop ransomware group leveraged a zero-day vulnerability in Oracle's EBS. Clop is believed to have exploited a newly discovered vulnerability, CVE-2025-61882, and potentially other vulnerabilities in the EBS platform to gain unauthenticated access and steal data. The group then began emailing corporate executives in September with extortion demands, threatening to leak the stolen data."