Alleged breaches affect Oracle Cloud and Oracle Health.
Signage stands at the Oracle Corp. headquarters campus in Redwood City, California, on March 14, 2016. Credit: Michael Short/Bloomberg via Getty Images
Oracle isn’t commenting on recent reports that it has experienced two separate data breaches that have exposed sensitive personal information belonging to thousands of its customers.
The most recent data breach report, published Friday by Bleeping Computer, said that Oracle Health—a health care software-as-a-service business the company acquired in 2022—had learned in February that a threat actor accessed one of its servers and made off with patient data from US hospitals. Bleeping Computer said Oracle Health customers have received breach notifications that were printed on plain paper rather than official Oracle letterhead and were signed by Seema Verma, the executive vice president & GM of Oracle Health.
The other report of a data breach occurred eight days ago, when an anonymous person using the handle rose87168 published a sampling of what they said were 6 million records of authentication data belonging to Oracle Cloud customers. Rose87168 told Bleeping Computer that they had acquired the data a little more than a month earlier after exploiting a vulnerability that gave access to an Oracle Cloud server.
Researchers at outside security firms who have reviewed data provided by rose87168 said it appeared to be genuine. Cloudsek researchers said the firm “assesses this threat with medium confidence and rates it as High in severity.” In all, they said, more than 140,000 tenants—meaning customers using Oracle Cloud services—were affected.
Trustwave’s Spider Labs, meanwhile, said the sample of LDAP credentials provided by rose87168 “reveals a substantial amount of sensitive IAM data associated with a user within an Oracle Cloud multi-tenant environment. The data includes personally identifiable information (PII) and administrative role assignments, indicating potential high-value access within the enterprise system.”
Oracle initially denied any such breach had occurred against its cloud infrastructure, telling publications: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
For the moment, there’s a stand-off between Oracle on the one hand, and researchers and journalists on the other, over whether two serious breaches have exposed sensitive information belonging to its customers. Reporting that Oracle is notifying customers of data compromises in unofficial letterhead sent by outside attorneys is also concerning. This post will be updated if new information becomes available.