Google said a high-volume extortion campaign is targeting executives with emails claiming access to Oracle E-Business Suite (EBS) data, and Oracle said some EBS customers “have received extortion emails,” urging them to apply the July 2025 Critical Patch Update and harden environments.
For CFOs and CISOs, the risk spans executive pressure, potential data exposure, and ERP downtime across finance, supply-chain and CRM workflows.
Extortion campaign hits Oracle E-Business Suite
EBS underpins finance, supply chain, and CRM at large organizations; even unverified ransomware gang claims can trigger legal, reputational, and operational fallout.
Reuters reports Google described the campaign as “high volume” and said it could not yet verify data-theft claims. Oracle said EBS customers “have received extortion emails” and urged immediate patching (July 2025 CPU), but has not confirmed any customer data theft.
Immediate actions for EBS admins
Patch verification comes first: confirm your EBS estate is current per Oracle’s latest guidance (see July 2025 CPU) and record evidence, screenshots, change tickets, for audit readiness. Rotate SSO tokens, enforce MFA on EBS admin and service accounts, and review privileged roles and recent admin logins for anomalies.
Inventory and re-authorize third-party integrations: APIs, connectors, file transfers. Monitor interface logs for unusual spikes or failures. Integration points often represent the softest targets in an otherwise hardened ERP perimeter.
Route executive-targeted extortion emails via security and legal channels. Preserve full headers and artifacts before remediation; metadata can reveal campaign infrastructure and assist law enforcement or threat intelligence teams.
Run an ERP-compromise tabletop within 24 to 48 hours. Map finance and SCM records, vendor access, disclosure timelines, and pre-draft customer and regulator communications. Tabletops surface procedural gaps before an incident forces real-time improvisation under pressure.
