Envoy Air, a regional airline subsidiary of American Airlines, disclosed a breach in its Oracle E-Business Suite system. The incident was linked to the Clop ransomware gang, which listed American Airlines on its data leak site, suggesting the compromise involved extortion threats. While the exact scope of the breach remains undisclosed, the involvement of Clop—a notorious ransomware group known for data exfiltration and extortion—implies potential exposure of sensitive corporate or employee data. The attack targeted a critical enterprise system (Oracle E-Business Suite), which typically manages financial, HR, and operational data, raising concerns about financial fraud, reputational damage, or regulatory penalties. Envoy Air has not confirmed whether customer data was affected, but the association with Clop increases the likelihood of internal data leaks or operational disruptions. The breach underscores vulnerabilities in third-party enterprise software and the escalating risks posed by ransomware-as-a-service (RaaS) groups like Clop.

Texas-based regional airline Envoy Air, a subsidiary of American Airlines, confirmed a breach on October 17, 2025, stemming from a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), exploited by the CL0P ransomware group (TA505/FIN11). The attack was part of a coordinated extortion campaign targeting global companies via a high-volume email phishing scheme launched in late September 2025. While Envoy Air stated that no sensitive customer data or flight operations were affected, the breach compromised limited business information and commercial contact details.The vulnerability allowed attackers to gain unauthorized remote access without credentials, and Oracle released an emergency patch on October 4, 2025, after nearly three months of active exploitation. CL0P had already listed American Airlines (Envoy Air’s parent company) on their dark web leak site on October 16, 2025, claiming significant data theft. Experts warned of a ripple effect across organizations using Oracle EBS, emphasizing urgent patching to mitigate the threat.

Former Envoy Air Employee Sues Over 2025 Data Breach Linked to CL0P Ransomware Group A former Envoy Air Inc. employee has filed a class-action lawsuit against the regional airline and Oracle Corp., alleging negligence in protecting sensitive employee data exposed during a July 2025 cyberattack. The breach, attributed to the CL0P ransomware group, compromised personal information stored in Oracle’s business-software system, including Social Security numbers, birth dates, and financial account details. Khianna Parks, the plaintiff, seeks to represent current and former Envoy Air employees affected by the incident. The complaint was filed on Wednesday in the U.S. District Court for the Western District of Texas. Envoy Air, a subsidiary of American Airlines Group Inc., has not yet publicly responded to the allegations. The lawsuit highlights growing concerns over third-party vendor security risks and the persistent threat posed by ransomware groups targeting enterprise software systems. The breach underscores the potential long-term consequences of exposed personal data, including identity theft and financial fraud.

Envoy Air, a regional subsidiary of American Airlines, confirmed a cybersecurity breach linked to the Clop ransomware group, which exploited a zero-day vulnerability (CVE-2025-61882) in its Oracle E-Business Suite. The attack was part of a broader global campaign targeting multiple organizations. While the breach exposed business and commercial contact data, Envoy Air clarified that no sensitive customer or financial information was compromised. The Clop group leaked stolen data on its dark web platform, accusing the airline of neglecting cybersecurity. The incident follows a pattern of Clop’s large-scale data exfiltration operations, leveraging unpatched vulnerabilities in enterprise systems. Envoy Air engaged law enforcement and initiated an investigation, but the breach underscores ongoing risks in third-party enterprise applications, particularly in the aviation sector. The attack did not disrupt operations but raised concerns about supply-chain vulnerabilities and the exposure of non-sensitive corporate data to malicious actors.

Envoy Air, a subsidiary of American Airlines, fell victim to a cyberattack executed by the Cl0p ransomware group, exploiting a vulnerability in Oracle E-Business Suite applications. While the company confirmed that no sensitive or customer data was compromised, a limited amount of business information and commercial contact details may have been exposed. The attack was part of a broader campaign targeting Oracle’s widely used enterprise software, affecting multiple organizations globally. Envoy Air is actively investigating the incident in coordination with law enforcement. Experts warn that the exploitation window—spanning nearly three months (July to October 2025)—allowed threat actors to exfiltrate large volumes of data from unpatched systems. The attack underscores risks tied to third-party dependencies, operational disruptions, and potential long-term erosion of public trust. Google’s threat intelligence suggests over 100 organizations could be impacted, with many possibly unaware of their compromise during the zero-day period. Patches for the vulnerabilities (CVE-2025-61882, CVE-2025-61884) were released in October 2025, but delayed mitigation may have exacerbated exposure.