Investigative Report • Data Breach • Workers’ Rights
The Washington Post Exposed Its Workers’ Bank Accounts and Did Nothing For Weeks
Filed: December 4, 2025 • Source: Federal Class Action Complaint, Kim v. WP Company LLC
TL;DR
- A cyberattack on The Washington Post between July 10 and August 22, 2025 exposed the names, bank account numbers, routing numbers, and employee ID numbers of approximately 10,000 current and former workers.
- The Post knew about the breach by October 27, 2025, but waited more than two weeks before notifying victims, giving cybercriminals a longer window to exploit stolen financial data.
- The stolen data had already been in criminal hands for roughly three months before The Post even discovered it.
- The Post told workers to monitor their own credit and bank accounts, offered zero credit monitoring services, and left employees to clean up the damage at their own expense and time.
- A federal class action lawsuit now accuses The Post of negligence, breach of implied contract, and unjust enrichment, on behalf of all 10,000 affected workers.
The complaint details how The Post calculated to save money on security at workers’ expense. The full accounting is in “The Non-Financial Ledger” and “Legal Receipts” below.
The Washington Post, a media institution that built its reputation on exposing government secrets, kept a secret of its own for over two weeks: that cybercriminals had already stolen the bank account numbers of 10,000 of its own workers.
The Breach: How It Happened and Who Got Burned
The attack ran silently from July 10, 2025, through August 22, 2025. Hackers exploited a vulnerability in Oracle’s E-Business Suite, the software platform The Washington Post used to manage HR functions and store employee data. Oracle itself identified the flaw as “a previously unknown and widespread vulnerability” that gave unauthorized actors access to many of its customers’ systems simultaneously.
The Post did not discover the breach until October 27, 2025. By that point, the stolen data had been sitting in criminal hands for approximately three months. Then, instead of moving immediately, The Post waited until November 12, 2025, to begin notifying affected workers. That is sixteen days of silence after they knew.
The data taken was not abstract or recoverable. Cybercriminals walked away with names, employee ID numbers, bank account numbers, and routing numbers. These are the exact details needed to drain a bank account, set up fraudulent direct deposits, and hijack a financial identity. Approximately 10,000 current and former employees and contractors had this information compromised.
The Data Was Almost Certainly Unencrypted
The class action complaint states that, upon information and belief, the Private Information stored on The Post’s network was not encrypted. This is a foundational failure. Encryption does not stop a breach from happening, but it renders stolen data useless. Without it, the moment a hacker gets in, everything is readable, sellable, and exploitable.
The FTC has published explicit guidelines telling businesses to encrypt information stored on computer networks. The Post, a company with the resources to employ thousands of people and maintain a global digital media operation, had access to these guidelines and the means to comply. The complaint alleges The Post simply chose not to invest adequately in security measures, instead prioritizing its own profits.
Timeline: From Breach to Victim Notification (Days Elapsed)
The Non-Financial Ledger: The Human Cost They’re Not Paying
Jun Hee Kim worked for The Washington Post from 2018 to 2019. He did his job, handed over his personal information because he had no choice, and then left. Six years later, on November 12, 2025, a letter arrived at his Maryland home telling him that criminals had his bank account number and routing number. He is not a current employee with HR support, an IT help desk, or a sympathetic manager to call. He is a former worker, alone with a liability that was created entirely by someone else’s negligence.
The moment Kim received that notice, his time was no longer his own. The complaint documents what came next: verifying the letter was real, consulting a lawyer, changing passwords, checking financial accounts for a minimum of one hour per week. Every spam call that rings now, and the complaint confirms he gets at least one a day, carries with it the question of whether this is the moment his identity gets weaponized. That is a psychological tax levied on him by The Post, paid out in anxiety, indefinitely, at no cost to The Post.
Bank account numbers and routing numbers are in a special category of dangerous. Unlike a credit card number that can be cancelled and replaced, a bank account is a direct pipeline to someone’s money. Once a criminal has both the account number and the routing number, they can initiate ACH transfers, set up fraudulent payroll redirects, drain savings, and bounce rent checks. The damage does not announce itself instantly. It compounds. The complaint makes this explicit: victims can face multiple years of ongoing identity theft and financial fraud, and there is a well-documented lag between when data is stolen and when it is used, sometimes exceeding a year.
The Post’s response to causing all of this was to mail instructions. Specifically, they advised workers to review their account statements, notify law enforcement of suspicious activity, monitor credit reports monthly, place a fraud alert on their credit report, and put a security freeze on their credit file. Every single one of those actions requires the worker to spend their own time and, in many cases, their own money. The notice contained zero information about credit monitoring or other services The Post would pay for. The lawsuit calls this out directly: The Post’s advice “entirely fails to provide any compensation for the unauthorized release and disclosure” of workers’ private information. In plain terms, they handed workers a mop and told them to clean up a flood they caused.
This Was Not an Accident. This Was a Calculation.
The unjust enrichment count of the lawsuit makes a specific and damning argument: The Post enriched itself by saving the costs it should have spent on data security. The complaint states the company “calculated to increase its own profits at the expense of Plaintiff and Class members by utilizing cheaper, ineffective security measures.” This is the corporation as subject, doing the action: The Post saved money. Workers paid the price. That gap between what adequate security would have cost and what The Post actually spent is not a rounding error. It is the entire mechanism of the harm.
The stolen data qualifies as property with measurable market value. The complaint cites dark web pricing: personal information sells for between $40 and $200 (enough to buy a week’s worth of groceries for a family), and access to entire company data breach caches sells for between $900 and $4,500 (enough to cover a month’s rent in most American cities). Cybersecurity experts note that personally identifiable information like names and account numbers sells for more than ten times the price of credit card data on the black market. Ten thousand workers’ financial data represents tens of millions of dollars in criminal market value. Workers received none of the benefit of that data when they were employed. They received all of the risk when it was stolen.
The complaint also documents something that gets lost in the legal language: the permanence of this harm. The data types stolen in this breach cannot be changed. A bank account number is not a password. A name is not a password. A routing number is not a password. These are static identifiers that stay compromised forever. The complaint states plainly that the stolen private information is “static and difficult, if not impossible, to change.” Every single one of the 10,000 affected workers now carries a lifetime elevated risk of fraud, filed against them through no fault of their own, generated by a company that covered its own costs by skimping on theirs.
Legal Receipts: They Said It In Writing
The following passages come directly from the federal class action complaint. These are the words that matter most.
“Defendant enriched themselves by saving the costs they reasonably should have expended on data security measures to secure Plaintiff’s and Class members’ Personal Information. Instead of providing a reasonable level of security that would have prevented the Data Breach, Defendant instead calculated to increase its own profits at the expense of Plaintiff and Class members by utilizing cheaper, ineffective security measures.” Class Action Complaint, Count III: Unjust Enrichment, ΒΆ162
“Defendant’s credit monitoring advice included in the Notice squarely places the burden on Plaintiff and Class members, rather than on Defendant, to monitor and report suspicious activities to law enforcement. In other words, Defendant expects Plaintiff and Class members to protect themselves from its tortious acts resulting in the Data Breach. Rather than automatically enrolling Plaintiff and Class members in credit monitoring services upon discovery of the Data Breach, Defendant merely sent instructions to Plaintiff and Class members about actions they can take to retroactively protect themselves.” Class Action Complaint, ΒΆ62
“Defendant had the resources necessary to prevent the Data Breach but neglected to adequately invest in security measures, despite its obligation to protect such information.” Class Action Complaint, ΒΆ52
“Plaintiff and Class members are now, and for the rest of their lives will be, at a heightened and substantial risk of identity theft. Plaintiff and Class members have also incurred (and will continue to incur) damages in the form of, inter alia, loss of privacy and costs of engaging adequate credit monitoring and identity theft protection services.” Class Action Complaint, ΒΆ77
“The Private Information compromised in this Data Breach is static and difficult, if not impossible, to change… there may be a substantial time lagβmeasured in yearsβbetween when harm occurs versus when it is discovered, and between when Private Information and/or financial information is stolen and when it is used.” Class Action Complaint, ΒΆΒΆ61, 86
Societal Impact Mapping: The Bigger Picture
Public Health: Identity Theft Is a Mental Health Crisis
The Department of Justice research cited in the complaint is direct: identity theft causes “severe distress” to its victims. This is not a legal formality or a throwaway line. Identity theft survivors describe the experience as a prolonged invasion, a constant background radiation of anxiety and suspicion that reshapes how they interact with financial systems, healthcare providers, and government agencies. Every piece of mail becomes a potential threat. Every unfamiliar charge triggers a crisis response.
The complaint documents that Jun Hee Kim has been receiving at least one spam call or text message every day since the breach. That is a daily reminder of violation. It is a Pavlovian stress trigger installed by The Post’s negligence and ringing on Kim’s phone indefinitely. The GAO report cited in the complaint adds a clinical dimension to this: the protective steps data breach victims must take are “both time-consuming and of only limited and short-term effectiveness.” This means the burden never fully lifts. Victims spend years managing a harm they did not cause and cannot fully resolve.
The complaint also notes that the 2024 data breach landscape saw 1.35 billion people affected, a 211% increase from the prior year. At the same time, nearly one in three security professionals believes AI-powered ransomware will grow as a threat in 2025. The population of people living with the psychological and financial weight of compromised personal data is not shrinking. The Washington Post’s breach adds 10,000 more people to that population, people who handed over their financial information as a condition of employment and received inadequate protection in return.
Economic Inequality: The People Who Can Least Afford This Pay the Most
The class action framework exists precisely because the individual cost of suing a major corporation exceeds what most working people can afford. The complaint is explicit: “Absent a class action, most Class members would likely find the cost of litigating their individual claims prohibitively high and would therefore have no effective remedy.” This is the structural violence of corporate data negligence laid bare. The company saves money on security. Workers lose money to fraud, credit monitoring, legal consultation, and time. The company waits for individuals to sue, knowing most cannot afford to.
Bank account numbers and routing numbers are especially devastating to lower-income workers and hourly employees because they often represent the entirety of accessible liquid assets. A drained checking account for a salaried professional at a major newspaper is a crisis. The same outcome for a contractor, a part-time employee, or a former worker living paycheck-to-paycheck can mean missed rent, bounced checks, overdraft fees compounding daily, and eviction proceedings. The breach did not discriminate between senior editorial staff and a facilities worker who cleaned the building in 2018. The notification went to everyone. The consequences land harder on those with less cushion.
The complaint further establishes that affected individuals must now spend money they were not planning to spend. Credit monitoring services, credit freezes, credit reports, and legal consultations all cost money. The complaint seeks to require The Post to fund lifetime credit monitoring for all class members. Until that happens, if it ever does, those 10,000 workers absorb those costs themselves. That is a direct wealth transfer from workers to the corporation, achieved through corporate negligence.
Dark Web Market Value of Stolen Data Types (Per Record, USD)
Source: Digital Trends, VPN Overview, as cited in the class action complaint. Company-wide breach bar scaled to axis limit; actual high estimate is $4,500.
The Corporate Math: What They Saved vs. What Workers Lost
Dark Web Value: 10,000 Workers’ PII at Market Rates (USD Millions)
Estimated dark web market value of stolen PII from all 10,000 affected workers, based on price ranges cited in the complaint. $2M is roughly enough to pay two years of salaries for a small cybersecurity team that could have prevented this.
What Now: Who To Watch and What To Demand
Corporate Roles Accountable in This Action
- WP Company LLC d/b/a The Washington Post: Defendant. Responsible for the security failures and the delayed notification.
- Oracle Corporation: Third-party software provider whose E-Business Suite vulnerability was the attack vector. The complaint notes The Post had a duty to verify that third-party vendors had implemented reasonable security measures.
- The Post’s Executive Leadership: Named in spirit by the complaint’s allegation that The Post “had the resources necessary to prevent the Data Breach but neglected to adequately invest in security measures.” Resource allocation decisions come from the top.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →
