Oracle is dealing with the fallout of two recent data breaches, one of which it has yet to formally acknowledge. That breach has its Oracle Cloud clients, several of whom have publicly confirmed follow-on breaches, clamoring for answers. The earlier breach, an attack on Oracle Health that took place in early 2025, has prompted a company insider to come forward and anonymously raise questions about its transparency and handling of the issue.
Oracle criticized for withholding information about cloud, health data breaches
The two data breaches are separate issues, but the common theme is criticism of Oracle’s forthrightness about what exactly happened and what victims should expect going forward.
The first data breach, that of Oracle Health, has been confirmed by the company and took place on or around February 20. Some customers of the platform, which handles patient data and offers analytics tools among other products, have privately received notifications about a breach that impacted “an old legacy server not yet migrated to the Oracle Cloud.”
However, Oracle Cloud itself also appears to have been breached just weeks later. This is the more opaque of the two data breaches, as Oracle still refuses to acknowledge it and has made public statements indicating they don’t believe that it happened. However, some of its clients have independently confirmed that data samples posted by the attacker are genuine.
The Oracle Health breach only came to public light in late March, and Oracle still has not made a formal disclosure beyond the notifications sent to impacted clients. The company has said that patient health data “may” have been involved, but it remains unclear exactly what or how much. The company has left it up to impacted hospitals to individually notify any patients that might have had personal information exposed. Some hospitals have privately told media sources that a hacker is attempting to extort them with stolen information, in some cases for millions of dollars.
Oracle got off on the wrong foot with its Health customers with a non-standard and seemingly somewhat dismissive response. Data breaches containing sensitive personal information, in this case potentially covered by HIPAA requirements, are generally accompanied by guidance for victims along with reports on the breach cause and response efforts. Oracle has thus far provided only a breach notification on plain paper and has instructed victims that the only available means of follow-up is to contact their CISO by phone.
An Oracle employee, speaking to TechCrunch reporters anonymously, has filled in some details from behind the scenes. They say that employees involved in the breach response are similarly being stonewalled by higher-ups, with very little formal internal communication about or even acknowledgement of the incident. It reportedly took days for front-line employees to be able to access customer environments to respond, and so little information about the breach was made available internally that they were turning to Reddit posts by impacted customers to learn more.
Oracle Cloud data breach yet to be acknowledged
The second of the data breaches is the one the company has yet to acknowledge publicly, but mounting evidence indicates that it is real and that Oracle Cloud customers should be actively responding to it.
That breach stems from a post to Breach Forums offering some six million records claimed to be from the Oracle Cloud SSO platform. The threat actor has provided an assortment of proof of the breach to the media, including uploading a text file with their email address to the server they claimed to have compromised, and Cloud customers have also since stepped forward to verify that data samples the hacker posted are legitimate.
However, after an initial denial Oracle continues to refuse to further address the issue. Security researchers have been independently advising Oracle Cloud customers to take action in spite of this, noting that the evidence in favor of the breach is very substantial at this point.
Further investigation by independent security researchers indicates Oracle may have actively tried to hide evidence of the data breaches by filing an archive.org takedown request to remove some of the proof the hacker posted, such as the URL and email address they were able to upload to the compromised server. These reporters also claim that since publishing the article, some Oracle Cloud clients have contacted them anonymously to say that Oracle is confirming the data breach to larger clients that directly query them about it but will only speak over the phone and refuse to send any form of written communication about it.
The data breaches may well take a major toll on Oracle, not only in terms of reputational damage but additional financial cost. It has reportedly been hit with a class action suit over the Cloud breach, with a lead plaintiff filing in Texas accusing the company of failing to properly secure private data and actively concealing the breach from customers. The suit seeks as-yet unspecified compensation for participants as well as a government order to Oracle to improve its cybersecurity.
