Oracle Admits Data Breach After Initial Denials, Customers Affected
In a startling turn of events, Oracle Corporation has informed several of its customers about a successful intrusion into its public cloud services, alongside the theft of sensitive data. This comes after the company previously denied any breach had occurred. The news raises serious questions regarding the security protocols in place at one of the worldâs leading software and cloud services companies.
The allegations of a cyberattack against Oracle's cloud service first surfaced in late March when an individual operating under the pseudonym ârose87168â claimed to have infiltrated two of the companyâs login servers. This hacker boasted of having accessed approximately six million records, which reportedly included private security keys, encrypted credentials, and LDAP entries belonging to thousands of organizations. The hacker even placed this stolen information up for sale on an underground cybercrime forum, drawing attention to the severity and scale of the breach.
Initially, Oracle staunchly denied these claims, asserting that the information was false. However, subsequent analysis by multiple information security experts of the stolen data shared by the hacker revealed that Oracle's Cloud Classic product had indeed been compromised. It appears that the breach was facilitated by exploiting Oracle-hosted login servers that had not been patched against a known vulnerability, identified as CVE-2021-35587, within Oracle Access Manager, which is a part of the Oracle Fusion Middleware suite. This oversight in patching vulnerabilities within its own systems has likely led to the significant loss of data, explaining the company's initial reluctance to admit that a breach had occurred.
In a particularly brazen move, the hacker even created a text file in early March on the login.us2.oraclecloud.com server, containing their email address, which served as undeniable proof of their access to the system.
In light of the breach, two of Oracle's customers have reported that the company reached out to them to discuss the incident discreetly. Oracle has reportedly engaged cybersecurity firm CrowdStrike to assist in managing the fallout from this data breach. However, when approached for confirmation, CrowdStrike chose not to comment directly, instead directing inquiries back to Oracle. Reports indicate that the FBI is also investigating the intrusion, which adds another layer of complexity to the situation.
According to a report from Bloomberg, Oracle reassured these two concerned customers that the hacker had compromised an older server that contained data dating back eight years, suggesting that the stolen credentials were likely outdated. However, one customer contested this claim, stating that login data as current as 2024 had been taken during the breach. The inconsistency in these accounts raises further concerns about the integrity of Oracle's security measures.
As a result of the breach, Oracle now faces a lawsuit in Texas, a development that promises to unveil more details during the discovery process. It is worth noting that the data breach Oracle has acknowledged is distinct from a separate incident involving Oracle Health, about which the company has chosen to remain silent.
A critical aspect of the situation is the potential implications regarding the General Data Protection Regulation (GDPR) enforced in Europe. This regulation mandates that organizations must report the theft of customer data to the affected individuals within 72 hours of discovery. Failure to comply could result in substantial fines ranging from two to four percent of a companyâs global revenue.
In the United States, there is no overarching federal requirement for immediate disclosure of security breaches; however, several states have enacted their own regulations that necessitate timely reporting. Additionally, if Oracleâs Health platforms have indeed been compromised as feared, the company could also incur fines under the Health Insurance Portability and Accountability Act (HIPAA).
As the situation unfolds, Oracle may find itself facing class-action lawsuits as legal representatives begin to seek out aggrieved parties. The companyâs initial approach of downplaying the breach is notably unusual in the tech industry and raises questions about their transparency and accountability.
