Enterprise computing giant Oracle continues to be the center of reports of a significant breach of customer records on its cloud compute platform. Publicly the company rebuffs assertions its is the victim of a breach, while privately it's being reported it is telling customers hackers compromised a “legacy” Oracle environment.
An article published by Bloomberg cites multiple Oracle customers who shared that Oracle issued notifications of a data breach. Bloomberg said that the exposed customer data includes customer usernames, passkeys, and encrypted passwords.
Oracle did not respond to a request from SC Media for comment on the matter, but is on the record as denying any breach of its systems.
Experts point out it is possible that the leak of data was the result of a client being compromised and not an internal breach of Oracle itself.
That said, there have been a number of reports and claims that could suggest the issue is far more extensive than Oracle initially let on. A report from SecurityWeek notes that a hacker has been advertising an archive of Oracle customer data.
In the report, it is alleged that the attacker has access to some 10,000 customer account records and meeting details.
The reports might not be completely related, it could be that there were multiple claims regarding different instances. However, Oracle is not doing itself any favors by withholding public comment or disclosure.
The company has always had a reputation for keeping its cards close to the vest when it comes to internal matters, specifically security issues.
Industry pundits have echoed these sentiments, criticizing Oracle for its insistence on not providing details or context when possible security incidents are reported or data breaches are claimed.
Earlier this month, CYE vice president of cloud Shira Shamban told SC Media that Oracle’s history of being cagey around public statements and media acknowledgement when it comes to data breaches can make it hard for organizations to gauge the possible extent, or severity, when it comes to possible security incidents.
Shamban suggested that customers could push back against Oracle for greater transparency and openness.
“Even if there’s a small chance that Oracle’s claims are accurate, the company’s response appears inadequate for a public company subject to global regulatory requirements.
“Transparency and accountability are critical when handling security incidents, as they affect not just a company’s own operations, but also those of customers and partners across the supply chain. A lack of clear communication can erode trust and leave users uncertain about the safety of their data."
