Oracle says its cloud was in fact compromised – Source: go.theregister.com

Oracle has briefed some customers about a successful intrusion into its public cloud, as well as the theft of their data, after previously denying it had been compromised.

Claims of a cyberattack on Oracle’s cloud service emerged in late March when a miscreant using the handle “rose87168” boasted of cracking into two of Big Red’s login servers for customers and harvesting around six million records, which included clients’ private security keys, encrypted credentials, and LDAP entries. The netizen put the info, involving thousands of organizations, up for sale on a cybercrime forum.

The Safra Catz-run database giant swore blind the claims were false. It turns out the only thing false were the denials.

Multiple information security experts analyzed samples of the stolen data, shared by rose87168 as proof of their heist, and concluded Oracle’s Cloud Classic product was indeed compromised by the thief, likely by exploiting Oracle-hosted login servers that weren’t patched against CVE-2021-35587, a vulnerability in Oracle Access Manager, a product in the Oracle Fusion Middleware suite. Oracle hadn’t patched a hole in its own software on its own systems, leading to the theft of info. No wonder it kept quiet.

The data thief even created a text file in early March on login.us2.oraclecloud.com containing their email address to show they had access at one point.

Now, two of the IT titan’s customers have said Oracle contacted them to quietly discuss the theft of their data from its cloud offering, and had enlisted CrowdStrike to straighten out this mess. The antivirus slinger declined to confirm this, “respectfully” referring The Register to Oracle. It’s said the FBI is also probing the intrusion.

According to Bloomberg, Oracle told the two customers a thief compromised an old server that stored eight-year-old data, so the credentials stored there were likely out of date.

However, another customer said login data as recent as 2024 was taken. Oracle is facing a lawsuit in Texas over this SNAFU; the discovery process may be interesting.

The heist Oracle has quietly admitted to is separate to an attack against Oracle Health. So far Big Red has refused to comment on that incident.

• Oracle accused of pedantry as evidence deleted
• There are 10,000 reasons to doubt Oracle’s denial
• Oracle’s masterclass in breach comms: Deny, deflect, repeat
• Oracle lied: Database giant axes hundreds of staff

One hopes Oracle hasn’t run foul of Europe’s General Data Protection Regulation, aka the GDPR, which requires organizations report the theft of customer data to affected folks within 72 hours of discovery. Otherwise the biz may face a fine of between two and four percent of global revenue.

In the US, there’s no federal security breach reporting requirement, though various states require swift disclosure. Meanwhile, if Oracle’s Health platforms have been raided as feared, it could be fined under the Health Insurance Portability and Accountability Act, aka HIPAA.

Oracle may also face class-action challenges as lawyers have started looking for aggrieved parties. The corporation’s decision not to openly admit to any intrusion at all is unusual. And won’t work. ®