Oracle Tested on Data Breaches, Gets Low Marks For Transparency

Oracle is presently dealing with the fallout of either one or two data breaches, apparently depending upon who’s doing the asking.

One of those, a February breach of Oracle Health, is a matter of public record. A more recent March breach of Oracle Cloud appears to be information only available to some of the company’s larger clients, at least going by recent news reports. But even the Health breach has seen the company drag its feet and fail to be forthright about certain aspects, even as some victims report extortion attempts on them by the hackers.

Oracle data breaches prompt lawsuit, whistleblowing

The more recent of the two data breaches is the more murky. Reports began coming in that Oracle Cloud had been breached in March, beginning with a Breach Forums post offering a massive amount of stolen data. Follow-up by security researchers, impacted Cloud clients and evidence posted by the hacker themselves points to it being real. But Oracle issued a hasty denial once news reports began coming out, and has not publicly changed its position since.

The issue with the data breaches may extend beyond negligent regard for clients into active cover-up, at least according to researchers with DoublePulsar. They say that evidence posted by the hacker to the Internet Archive, used to prove the legitimacy of the breach to questioning reporters and researchers, was scrubbed by Oracle via an “exemption” takedown request. And some of its clients have also told reporters that select clients can indeed verify with Oracle that the Cloud breach is real, but they must do it entirely by phone, make first contact and promise not to speak about it to anyone else.

Media reports of all of this have prompted a class action lawsuit filed in Texas. It accuses Oracle of knowingly hiding the Cloud breach and failing in its security obligations.

Insider points to similar issues with Oracle Health breach

While Oracle has publicly admitted to the earlier breach of the Health platform, at least in private communications to impacted clients, an employee that spoke to the media (under condition of anonymity) said that the internal response is similarly being hampered by higher-ups.

That breach took place on or about February 20, according to the breach notification sent to clients. The stolen information apparently comes from an older server that was part of the company’s former incarnation as Cerner, but Oracle still has not indicated exactly what personal information was taken or how damaging the breach was. Oracle also told these clients that it would help identify any impacted patients, but would not being doing anything to contact them.

Though there was a notification of the Health incident, it was about as perfunctory as possible. Data breaches that involve HIPAA information generally come with a higher level of customer care. Oracle reportedly sent out a printed notification to potential victims (on plain paper rather than company letterhead), and instructed them that the only means of follow-up communication would be to call their CISO on the phone. As with the Cloud breach, they seem to be going to extreme lengths to avoid putting anything in writing.

The anonymous Oracle employee, speaking to TechCrunch, painted a picture of all of this originating from company leadership. They said that they have been very limited in communications and information about the Health incident, even as they tried to provide initial containment and support to clients. It took days after the breach for them to be able to begin this work, and when they did they say they had to piece things together for themselves and rely on customer Reddit posts for key information as upper management was not providing sufficient assistance.

Oracle Cloud and Health customers must thus take these data breaches more seriously than Oracle has indicated, but the incidents are also raising serious questions about the general safety of their products going forward.