Oracle Downplays Data Breach in the Cloud

Just when you thought your data was safe in the Cloud, it might turn out to be…well, not so much.  Despite Oracle’s initial denials and continuing downplay attempts, word eventually got around that cyber criminals had breached Oracle Health, a healthcare technology branch, soon followed by a breach of Oracle Cloud itself.  The hacker responsible has so far published over 10,000 records of Oracle Cloud tenants, including user credentials.  In total they claim to have millions of data lines from over 140,000 users.

Despite notifying certain numbers of customers of the Health breach, Oracle continues to insist there was no compromise of its actual Cloud systems.  According to a statement from Oracle reported by Bleeping Computer, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”  And yet, it sounds like Oracle is trying to use some linguistic gymnastics to escape on a technicality.  Considering that their old Oracle Cloud services were rebranded as Oracle Classic, they could technically say the Cloud wasn’t breached, even though it’s still their cloud service.  Simone Biles would be proud of that level of gymnastics.  Otherwise, Oracle seems steadfast in its refusal to acknowledge the reality of the issue, even against substantial evidence.

This proceeds while Oracle notifies customers about compromised usernames and passwords.  An anonymous employee reaching out to TechCrunch reports how Oracle employees involved with incident response have met with resistance and even silence from the upper rungs.  This is compounded by further research that suggests Oracle actively tried to hide evidence by filing takedown requests of some of the hacker’s proof, while also covertly addressing the breach only to larger clients who ask and only by telephone. 

That the passwords offered by the hacker were encrypted shows an important measure of mitigation for Oracle: without it, their hot water would be even more boiling.  To ensure cyber criminals in these instances can’t get full access, it’s crucial to implement solutions like NetLib Security’s Encryptionizer that provide strong encryption of stored data across physical, virtual and cloud environments.  There’s nothing more inexcusable for an organization that handles sensitive data and credentials to leave it exposed as plain text.

It’s difficult to see this as anything other than the company digging themselves deeper, one error after another, especially when one class-action suit has already been raised.  Oracle’s handling of the issue so far seems a textbook case of how not to respond to a data breach, especially when they stymie employees who actually are trying to deal with it.  Where this ends for the company, and what the hacker ultimately does with the stolen data, has yet to be seen, but is a troubling sign for the supposedly solid security of the cloud.