COMMENTARY: Just a short couple of weeks ago, Oracle Corporation became the center of a major cybersecurity incident involving the unauthorized access and theft of sensitive data from its cloud services.
Reports suggest that the compromised information includes 6 million records, credentials, encryption keys, and other authentication-related data belonging to both Oracle and its customers.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
This breach has sparked significant concerns among Oracle Cloud users and the broader tech community—not only regarding the security of their data, but also Oracle’s apparent lack of transparency in responding to the attack. The threat actor, identified as “rose87168,” has released evidence supporting their claims, adding pressure on Oracle to acknowledge the incident.
Oracle Cloud provides a comprehensive suite of cloud-based applications and services, including infrastructure, platform, and Software-as-a-Service. It’s particularly attractive to enterprises with complex database needs and organizations using enterprise applications such as customer relationship management (CRM), human capital management (HCM), and supply chain management (SCM).
Oracle's cloud products are widely-adopted across industries including healthcare, life sciences, telecommunications, finance, and technology, with many Fortune 500 companies among its users.
Over the years, Oracle has expanded its portfolio through strategic acquisitions, such as its 2022 purchase of Cerner for $28 billion, strengthening its presence in the healthcare sector. This raises concerns about potential HIPAA violations and regulatory fines resulting from data exposure, concerns that were realized just the other day when it was reported that the legacy data migration servers were attacked at Oracle Health.
The March breach
On March 21, 2025, cybersecurity firm CloudSEK revealed details of the original attack, alleging that a threat actor had gained access to Oracle Cloud’s single sign-on (SSO) and LDAP systems. Stolen data reportedly includes Java KeyStore (JKS) files, encrypted authentication credentials, key files, and Enterprise Manager Java Platform Security (JPS) keys—critical components for securing authentication and communication in Oracle’s cloud infrastructure.
It's suspected that the attackers exploited a previously patched vulnerability in Oracle Access Manager. While no official post-mortem has been released, it’s possible that some servers were left unpatched, legacy systems were involved, or the attacker had established persistence before the fix was applied in 2022. Reports indicate that the breach entry point was an outdated version of Oracle Fusion Middleware hosted at login.us2.oraclecloud.com, which was taken offline after the attack became public.
Despite multiple findings from independent security researchers, Oracle has categorically denied any breach, stating:
"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
Even if there’s a small chance that Oracle’s claims are accurate, the company’s response appears inadequate for a public company subject to global regulatory requirements. Transparency and accountability are critical when handling security incidents, as they affect not just a company’s own operations, but also those of customers and partners across the supply chain. A lack of clear communication can erode trust and leave users uncertain about the safety of their data.
In response to this incident, organizations using Oracle Cloud should take immediate steps to assess and secure their environments. The following actions are recommended:
Beyond responding to this particular breach, all organizations—whether using Oracle Cloud or other providers—should follow best practices to enhance their cloud security posture:
The March incident involving Oracle reinforces the principle that cloud security is a shared responsibility. Organizations cannot assume that their cloud provider offers absolute protection. Mistakes, misconfigurations, and vulnerabilities are inevitable. Security and DevOps teams must proactively prepare for such risks, implementing the right security measures to limit the impact of breaches.
Moreover, this breach raises broader questions about vendor transparency and accountability. Customers should demand higher standards, choosing cloud providers not just based on features and pricing, but on their commitment to security, transparency, and trust.
Shira Shamban, vice president of cloud, CYE
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
