kEnvoy Air, a regional carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised following claims by the Clop extortion group, which recently listed American Airlines on its data leak site.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
Envoy Air operates regional flights for American Airlines under the American Eagle brand. Although it functions as a separate entity, its operations are closely integrated with American’s systems for ticketing, scheduling, and passenger services.
The Clop ransomware group has begun leaking what it claims to be stolen Envoy data, posting the message: “The company doesn’t care about its customers, it ignored their security!!!” This breach is tied to a wider campaign that began in August, in which Clop targeted Oracle E-Business Suite systems and began sending extortion demands to affected companies in September.
Initially, Oracle said that attackers were exploiting vulnerabilities patched in July. However, the company later confirmed that the threat actors took advantage of a previously unknown zero-day flaw, now identified as CVE-2025-61882.
Cybersecurity firms CrowdStrike and Mandiant later reported that Clop exploited the flaw in early August to infiltrate networks and install malware. While the total number of victims remains unclear, Google’s John Hultquist told BleepingComputer that “dozens of organizations” were affected.
The extortion gang is also targeting Harvard University as part of the same operation. The university confirmed to BleepingComputer that the breach affected “a limited number of parties associated with a small administrative unit.”
Adding to the concerns, Oracle quietly patched another zero-day flaw—CVE-2025-61884—in its E-Business Suite last week, which had been actively exploited since July 2025. The exploit was reportedly leaked by the Shiny Lapsus$ Hunters group on Telegram.
American Airlines has previously faced data breaches in 2022 and 2023, which exposed employee personal data.
Who is Clop?
The Clop ransomware group, also known as TA505, Cl0p, or FIN11, has been active since 2019. It initially used a variant of the CryptoMix ransomware to infiltrate corporate networks and steal information.
Since 2020, the group has shifted its focus to exploiting zero-day vulnerabilities in file transfer and data storage platforms. Notable campaigns include:
- 2020: Accellion FTA zero-day attack impacting nearly 100 companies
- 2021: SolarWinds Serv-U FTP zero-day exploit
- 2023: GoAnywhere MFT zero-day breach affecting 100+ firms
- 2023: MOVEit Transfer campaign, their largest to date, compromising data from 2,773 organizations worldwide
- 2024: Exploited Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) for data theft and extortion
The U.S. State Department is currently offering a $10 million reward for information linking Clop’s ransomware operations to any foreign government.
