Envoy Air, a regional airline carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised after the Clop extortion gang listed American Airlines on its data leak site.
“We are aware of an incident involving Envoy’s Oracle E-Business Suite application,” Envoy Air told BleepingComputer.
“Upon learning of the matter, we immediately initiated an investigation and law enforcement was contacted. We have thoroughly reviewed the relevant data and have confirmed that no sensitive or customer data was impacted. A limited amount of business information and commercial contact details may have been compromised.”
Envoy Air is a subsidiary of American Airlines and operates regional flights under the American Eagle brand. Although it operates as a separate company, it is integrated into the American network for ticketing, scheduling, and passenger service.
The Clop ransomware gang is now leaking data stolen from Envoy on their data leak site, stating, “The company doesn’t care about its customers, it disregards their security!!!”
This new security incident is related to a data theft campaign carried out in August by the Clop extortion group, which began sending extortion-demanding emails to companies in September while claiming to steal data from Oracle E-Business Suite systems.
While Oracle initially said threat actors were taking advantage of vulnerabilities patched in July, the company later revealed that the extortion gang took advantage of a zero-day flaw tracked as CVE-2025-61882 in the attacks.
CrowdStrike and Mandiant later revealed that Klopp took advantage of the flaw in early August to break into the system and deploy malware.
While Klopp would not share how many companies were affected by the data breach attacks, Google’s John Hultquist told BleepingComputer via email that he believed dozens of organizations were affected.
The Klopp gang is also extorting Harvard University as part of the same data theft campaign, with the university confirming to BleepingComputer that the incident affected “a limited number of parties associated with a small administrative unit.”
Last week, Oracle quietly patched another e-Business Suite zero-day tracked CVE-2025-61884, without disclosing that it was actively exploited in July 2025.
This zero-day is linked to an exploit leaked by the Shiny Lapsus$ Hunters extortion group on Telegram.
American Airlines previously suffered data breaches in 2022 and 2023 that exposed employees’ personal information.
Who is Klopp?
The Cloop ransomware operation, also tracked as TA505, Cl0p, and FIN11, was launched in 2019 when it began breaking into corporate networks to deploy a variant of the Cryptomix ransomware and steal data.
Since 2020, extortion gangs have shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data.
Some of their attacks using zero-day flaws include:
The US State Department currently offers a $10 million reward for information linking Klopp’s ransomware activities to a foreign government.
Passwords were cracked in 46% of environments, almost double from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at prevention, detection, and more findings on data intrusion trends.
