Oracle is under intense scrutiny after reports of two Oracle data breach emerged within one week. Despite the growing controversy, the company has yet to publicly acknowledge the full extent of the incidents.
Cybersecurity Researcher Exposes Cloud Vulnerabilities
On March 20, 2025, a cybersecurity researcher claimed access to Oracle login systems tied to its cloud services. The exposed data included:
- Encrypted SSO passwords
- LDAP credentials
- Security certificates
- Employee personal records
Oracle denied any breach within its cloud infrastructure, stating no customer data was compromised. However, analysts found that the leaked data matched live production environments used by real clients.
Root Cause: CVE-2021-35587 Exploitation
Experts traced the breach to CVE-2021-35587, a vulnerability in Oracle Access Manager that permits HTTP-based remote exploitation. Though patched in 2022, Oracle allegedly failed to update its own systems, leaving clients exposed.
Healthcare Clients Impacted in Second Breach
In a separate incident reported around February 20, 2025, Oracle notified healthcare clients that attackers may have accessed patient data using stolen credentials. This raised serious concerns over Oracle’s internal security protocols.
Legal Repercussions and Class-Action Lawsuit
A federal lawsuit was filed in West Texas accusing Oracle of:
- Negligence
- Breach of contract
- Failure to notify affected customers in a timely manner
The suit seeks class-action status and demands compensation along with stronger cybersecurity safeguards for customer data.
Transparency Under Fire
Critics argue that Oracle is attempting to minimize its liability by using technical language and differentiating between Oracle Cloud and Oracle Cloud Classic. Researchers also allege that Oracle tried to remove breach evidence from public archives.
Call for Stronger Cloud Provider Accountability
This incident underscores the critical need for:
- Timely vulnerability patching
- Proactive risk management
- Transparent communication with affected customers
As reliance on cloud services increases, organizations must demand accountability and enhanced security protocols from service providers like Oracle.
Conclusion
The Oracle data breach controversy highlights serious issues in cloud infrastructure security. With legal and reputational consequences mounting, businesses are urged to strengthen vendor risk assessments and implement zero-trust frameworks to mitigate future threats.
https://grctechinsight.com/2025/03/30/oracle-faces-backlash-over-alleged-cloud-security-breach-and-data-exposure/
