- LKQ confirmed it was affected by Oracle E‑Business Suite breach, exposing SSNs and EINs of about 9,000 people
- Cl0p is believed to be responsible, claiming terabytes of LKQ data stolen via CVE‑2022‑21587 exploitation
- The incident adds to a growing list of EBS victims, including Envoy Air, Harvard, The Washington Post, Cox, and Logitech
The list of companies breached through the Oracle E-Business Suite vulnerability keeps growing - with the latest organization to confirm an attack is US aftermarket car parts and recycled original equipment firm LKQ.
The company recently filed a data breach notification form with the Office of the Maine Attorney General, in which it said it lost sensitive data on roughly 9,000 people, including people’s LKQ Employer Identification Numbers, and Social Security Numbers.
The attack apparently took place on August 9 2025, and was discovered on October 3, when LKQ launched an internal investigation, which concluded on December 1, after which affected individuals, as well as relevant government agencies, were notified.
Cl0p steals terabytes
“There is no evidence of impact to LKQ’s systems beyond the Oracle E-Business Suite environment,” the company explained in the notification.
As a result, LKQ strengthened its network’s security, and offered free credit monitoring and identity restoration services through Cyberscout to affected individuals, for two years.
It did not detail who the threat actors were or what they were after. However, it is generally known that Cl0p, a Russian-speaking group, was the one behind the E-Business Suite attacks. Curiously enough, according to Security Week, LKQ was the first company Cl0p listed on its data leak website as having been breached through E-Business Suite, but the company did not confirm the claims until now.
Cl0p said it took several terabytes of files from LKQ’s EBS instances and shared it with the cybercriminal community.
Last summer, the ransomware actor abused a critical vulnerability in Oracle E-Business Suite, most commonly linked to CVE-2022-21587, which allowed unauthenticated remote code execution. This gave them access to user accounts, which they used to exfiltrate sensitive data. So far, there were multiple confirmed cases of data theft, including Envoy Air, Harvard University, The Washington Post, Cox Enterprises, and Logitech.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
