Oracle has finally admitted to suffering a significant data breach, quietly notifying select customers about the security incident just days after being hit with a class action lawsuit that accused the tech giant of attempting to conceal the breach from affected users.
The company’s acknowledgment comes after weeks of denials and represents a significant change from its public stance on the matter.
Oracle’s behind-the-scenes admission
Oracle has begun privately notifying select clients about the cybersecurity breach in which a hacker gained access to a system containing client login credentials, Bloomberg reported late Wednesday. It said the compromised data included usernames, passkeys, and encrypted passwords.
The FBI and cybersecurity firm CrowdStrike are investigating the incident, Oracle said in the private communications, according to the report. Sources familiar with the matter told Bloomberg that the attacker sought an extortion payment from the company.
Oracle attempted to minimize the severity of the incident by describing the compromised system as a “legacy environment” that had been unused for eight years. However, one source familiar with the breach contradicted this claim, telling Bloomberg that the stolen data included Oracle customer login credentials from as recently as 2024.
This is the second cybersecurity incident the company has acknowledged in recent months. Bloomberg’s sources indicated that Oracle specified this breach was separate from another that it had disclosed to some healthcare customers last month.
Lawsuit challenges Oracle’s response
The reports of Oracle’s acknowledgement of the breach come just days after the company was hit with a class action lawsuit over its handling of the security breach.
The lawsuit specifically addresses a major security breach discovered in March that reportedly compromised 6 million records containing sensitive authentication-related data from Oracle Cloud infrastructure, potentially affecting more than 140,000 tenant databases.
It’s interesting because it directly targets Oracle, rather than the enterprises the database service provider was holding the data for.
Filed by Florida resident Michael Toikach in the US District Court for the Western District of Texas, the lawsuit accuses the enterprise technology giant of failure to secure private information held by its customers, and concealing the breach from them.
“Oracle has failed to inform Plaintiff and Class members whether it was able to contain or end the cybersecurity threat, leaving victims to fear whether the Private Information that Oracle continues to maintain is secure,” the lawsuit claims.
The complaint, filed by law firm Shamis & Gentile, seeks a jury trial and claims Oracle violated Texas state laws by failing to notify victims within the required 60-day window after discovering the breach.
According to the court filing on Monday, Oracle had yet to inform affected customers about the incident or provide details on whether it has secured their data. “All of this information is vital to victims of a data breach, let alone one of this magnitude,” the lawsuit said.
Beyond financial compensation, the plaintiffs are demanding that Oracle implement stronger security measures to prevent future incidents. The lawsuit emphasizes that those affected face an “increased risk of identity theft and fraud for years to come.”
Industry implications and security concerns
The legal challenge adds significant pressure on Oracle during a time of heightened scrutiny around cloud security and data privacy.
Security experts warn that the breach fundamentally undermines cloud security assumptions. “Cloud customers were engaged on a bedrock security promise: tenant isolation and segregation contain breaches,” said Sunil Varkey, advisor at Beagle Security. “However, a single hack reportedly exposed 6 million records across 140,000 tenants, and the provider did not even realize the compromise, shattering that illusion.”
Varkey further highlighted the “watering hole” effect created by the breach: “A breached SSO endpoint with a master key isn’t just a data grab; it’s a perfect watering hole. Every tenant logging in, from global enterprises to SMBs, becomes prey. The hacker doesn’t chase them; they come to the trap.”
Threat intelligence firm CloudSEK first reported the breach, identifying a hacker selling six million records allegedly exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. Security researchers linked the attack to CVE-2021-35587, a vulnerability in Oracle Access Manager previously flagged by the Cybersecurity and Infrastructure Security Agency (CISA) as a known exploited weakness.
Security professionals caution that organizations need to rethink their cloud security strategies in light of this incident. “The previous assumption that cloud adoption guarantees cost reduction and resilience is now being questioned, as such incidents have the potential to bring down entire environments,” Varkey added.
Oracle’s shifting statements
Oracle’s private admissions to customers stand in stark contrast to its earlier public denials. The company initially stated: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Security experts have criticized Oracle’s crisis response. “Keeping quiet or denying a potential breach or vulnerability in their ecosystem is unethical and a crime,” Varkey said. “Stakeholders blindly trust their cloud provider, and when facts are suppressed, exposed tenants and their supply chains face a cascading impact across the digital terrain globally.”
With legal action underway and further investigations expected, the case could have broader implications for cloud provider liability and regulatory compliance in the cybersecurity landscape.
Oracle has not publicly acknowledged the breaches, and further inquiries to the company remain unanswered.
No Responses