If you are already a customer of Oracle, I can't imagine this matters to you. You did not choose Oracle because it was a good product and they are a good company. You are a customer of Oracle because there was a backroom executive deal with the Devil. No one is surprised or outraged or even has any choices.
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.
I asked for an incident report and received this terse response:
> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.
> NetSuite will indemnify Customer up to an amount equal to five (5) times the equivalent of 12 months of license fees applicable at the time of the event, from and against any Losses incurred by Customer
Create a 'Wicki-hacks.com', like Wikipedia, where incidents are listed in detail - anonymously and indexed akin to Wikipedia with editors that create and verify an incident is such a way that Horacle etc can not deny or get it taken down
The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently:
- no passive network monitors showing an unknown IP/Mac/Location
- no SOAR to kill off the attempts to gain a foothold/move laterally
- no alerts on above or anything else in the SOC
Oracle attempt to hide cybersecurity incident from customers?
(doublepulsar.com)631 points by 2bluesc 31 March 2025 | 127 comments
Comments
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
I asked for an incident report and received this terse response:
> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.
https://www.sec.gov/Archives/edgar/data/1428669/000119312508...
Matches Larry's other political and societal scandals.
Executives need to go to jail. People need to be fired.
This won’t happen though, definitely not under this current administration.
they are under legal obligation to tell investors about this sort of shit.