Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
Envoy Air is a subsidiary of American Airlines and operates regional flights under the American Eagle brand. While it functions as a separate company, it is integrated into American's network for ticketing, scheduling, and passenger service.
The Clop ransomware gang is now leaking what they claim to be the data stolen from Envoy on its data leak site, stating, "The company doesn't care about its customers, it ignored their security!!!"
This new security incident is related to an August data theft campaign conducted by the Clop extortion group, which began emailing extortion demands to companies in September, claiming to have stolen data from Oracle E-Business Suite systems.
While Oracle initially stated that the threat actors were exploiting vulnerabilities patched in July, the company later disclosed that the extortion gang exploited a zero-day flaw tracked as CVE-2025-61882 in the attacks.
CrowdStrike and Mandiant later revealed that Clop exploited the flaws in early August to breach systems and deploy malware.
While Clop would not share how many companies were impacted by the data theft attacks, Google's John Hultquist told BleepingComputer via email that they believe that dozens of organizations were affected.
The Clop gang is also extorting Harvard University as part of this same data theft campaign, with the university confirming to BleepingComputer that the incident impacts a "limited number of parties associated with a small administrative unit."
... continue reading