Oracle customers confirm data stolen in alleged cloud breach is valid
83 comments
·March 26, 2025ziddoap
znpy
> It's not like there are any real penalties to a breach.
Not in the US maybe. In the EU under GDPR you have to disclose within 48h of you realizing (or made aware of) the breach.
There are fines (at least) if you don't disclose it afaik.
Oracle is gonna have issue with the EU, most likely.
mrbluecoat
Maybe the EU wasn't on the Signal group chat when Oracle notified The Atlantic of the breach
cyanydeez
[flagged]
toomuchtodo
SEC Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules - https://www.sec.gov/files/33-11216-fact-sheet.pdf
rodgerd
I mean it's true that there's a rule, but at this point in US history I think we have reason to be sceptical that it will be enforced.
ziddoap
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
mikeyouse
Several of the fines have been in the hundreds of millions of dollars - and while not crushing to Oracle, that's actual money that will definitely change behavior.. https://www.enforcementtracker.com/
everfrustrated
In the UK, and I presume the EU also, the fines for losing customer data are set as a % of company annual worldwide turnover.
https://ico.org.uk/for-organisations/law-enforcement/guide-t...
znpy
> Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue?
Not yet, hopefully soon: under some circumstances GDPR fines can go up to 6% of gross earning (ebitda) iirc.
miksik
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
m3047
This just in... /s
Seriously though, Sullivan lost his appeal. You should have read up on this.
https://www.courthousenews.com/wp-content/uploads/2025/03/us...
2thumbsup
Alone the fact that Oracle was hosting their login gateway on a product with a known vulnerability from 2021 with a CVSS score of 9.8 is quite disturbing.
fock
we pay millions to Oracle. We hit a bug and it took 6months for them to reproduce and acknowledge there is a bug. they now seem to be on the lookout for someone being able to produce a fix: sales and indian after-sales can't do that... curious!
Oracle seems just a moneygrabbing shell company at this point and I suppose the whole hyperscaler-cloud is developing towards that point with the leaders of those corporations repeating exactly the same talking points...
toomuchtodo
Why are you still on Oracle? (genuine question, no snark)
plantain
Because Oracle gives their manager premium baseball tickets on the regular.
ie21
They make a great database?
comprev
Because of architectural decisions made a very long time ago (finance industry) and the potential risk of migrating to another platform.
fock
as others have mentioned
- institutional inertia - some weird consultant style people in key roles (this happens around cloudy stuff too) - the DBA-team - "we can't move everything!" - "we just migrated off solaris!"
however every new project with sane leadership seems to decide against oracle.
pram
Fun fact: Oracle has like 6+ LDAP/directory products, OAM is just one. Theres ODS, OIM, OID, OUD, OVD, NIS leftovers from Sun, and probably more honestly
skissane
OAM and OIM aren’t “LDAP/directory products” per se.
OAM is an access management product, used to implement stuff like SSO (single sign-on). So, for example, it comes with a module you can install in Apache which will intercept HTTP requests and redirect them to OAM’s login page - which may potentially talk to an LDAP to authenticate you. Or you can do stuff like define some URL patterns in an app as sensitive so they require a more secure authentication mechanism (such as 2FA or smart card), other URL patterns as less sensitive so password-only login is sufficient
OIM is basically about provisioning accounts from a source system into target systems. Those systems could be LDAPs from various vendors, but can also be HR systems (Oracle’s various offerings and SAP too), IBM mainframes (RACF, TopSecret, ACF2), Unix/Linux hosts, database tables, custom apps… also lets you do things like setup workflows to approve system access requests, you can configure it to require reapproval of high risk access requests by management every X months or else they get revoked (used for Sarbanes-Oxley compliance), etc
Source: I used to work for Oracle Engineering, in a team which handled escalations for these products-especially OIM, but I stuck my fingers in most of them. When I left (back in 2017, so a while ago now) they were putting a lot of effort into their cloud offering (IDCS, more recently replaced by OCI IAM), but I’m sure the on-premise offerings are going to stick around for a long time, especially because they have some customers (e.g. in the national security space) for which cloud is unlikely to be a viable solution any time soon
forinti
And you can't just use your AD, you have to install OID and have it synchronized.
It just makes me mad.
greenchair
hey at least they use their own product!
sidewndr46
It appears they took dogfooding a little too literally
cluckindan
Ironically, they didn’t see this coming.
2OEH8eoCRo0
Check out Oracle's market cap or Ellison's net worth ;)
xyst
> In this email exchange, the threat actor says someone from Oracle using a @proton.me email address told them that "We received your emails. Let’s use this email for all communications from now on. Let me know when you get this."
E-mails are one of the sources at most public companies that are required to retain for a period of time (7 yrs?). Probably trying to avoid a paper trail?
Data breaches, unfortunately, have no impact to stock. Companies that use Oracle products are unlikely to migrate any time soon.
_future_ sales may be impacted and maybe some smaller players can migrate off. But Oracle will downplay it as much as possible.
“Deny. Delay. Defend.” Is not just a health insurance slogan.
6stringmerc
Okay having worked at a top 3 insurance broker about 10 years ago when “Cyber” policies were being rolled out (h/t Beasley)…I wonder who underwrote Oracle’s policy and how much it was in that tower? No policy? Hope the D&O can cover the shareholder lawsuits! Wait, something something cozy with administration in power, rules subject to interpretation, etc.
Then again, Tyler Technologies blamed Judyrecords.com for their exposing reams of sealed cases in California because of their flawed obfuscation system and claimed it was a security breach (somehow skated on accountability there).
Rule #1 of a breach is never write the word breach in an email, hence the discussion off their dot com I figure…
az226
Classic, Oracle denying breach despite clear evidence.
dylan604
This is the way.
Deny deny deny. Those that have already drunk the kool-aid will believe your denial. Those that are too lazy to look or only get their info from one source will not know any different than your denial. The rest are just wrong from being in opposition anyways.
It works anywhere as long as you are large enough of an entity
franktankbank
Responding to person with non-company email.. eek.
imglorp
Attempting to admit something to key customers but they don't do it on letterhead!
https://arstechnica.com/security/2025/03/oracle-is-mum-on-re...
Look for them to sue any messengers shortly.
null
thedougd
If you ran Oracle you’d appreciate why it wasn’t patched. They do not make it easy.
medhir
genuinely curious what kind of demographic is leveraging Oracle for cloud products — all I’ve heard about them suggests long-term pain.
this incident certainly doesn’t help inspire confidence in their offerings.
ripped_britches
Multi cloud companies that want pricing leverage at the expense of simplicity (uber is a major customer of all 4 big clouds for example)
jaza
There are 4 big clouds? I had only ever heard of the big 3 mentioned until now (AWS, Azure, GCP). From a quick search, appears that the 4th is Alibaba Cloud.
alephnerd
In the non-Chinese market, the 4th cloud is Oracle Cloud (OCI).
But yea, there is AWS, GCP, Azure, and OCI outside China and Alibaba, Huawei, and Tencent within China.
inemesitaffia
They have free cloud and egress is cheaper.
sexy_seedbox
What about Oracle Opera Cloud and Oracle NetSuite Cloud customer data—have they been stolen as well? Many many hotels around the world use Opera + NetSuite.
KaiserPro
How long has oracle been denying it? three days?
tartoran
Not sure how long it will take them to accept responsibility in this case or at least confirm but Oracle has always played the denying game, it looks like their favorite business practice.
justanother1
Larry and Trump are in bed. Oracle will(should) fire their OCI and SaaS CISOs
>BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.