Oracle faces backlash over data breaches that have exposed millions of customer records

By willowt // 2025-04-04

Mastodon

Parler

Gab

Copy

Oracle, led by Larry Ellison, is under fire for mishandling two major breaches — one involving Oracle Cloud (exposing 6 million customer credentials) and another affecting Oracle Health (compromising sensitive patient data).
Oracle initially denied the Cloud breach, drawing backlash for evasive language. Cybersecurity experts like Kevin Beaumont condemned its opaque communication, urging clear accountability.
Hackers accessed unsecured legacy servers in Oracle Health, stealing patient data and attempting extortion. Employees reported poor internal communication, leaving customers and staff in the dark.
The breaches cast doubt on Oracle’s push into AI-powered surveillance and centralized data management, with experts like Lisa Forte questioning its ability to safeguard sensitive information.
Oracle’s failures reflect systemic issues in tech cybersecurity. Its reputation is damaged by weak crisis response, raising doubts about its role as a trusted data steward.

Tech giant Oracle, under the leadership of co-founder and executive chairman Larry Ellison, is facing mounting criticism over its handling of recent data breaches that have exposed millions of customer records and sensitive healthcare data. These incidents come at a time when Oracle is positioning itself as a central player in the AI-powered surveillance and data storage sector, raising serious questions about its ability to protect the very data it seeks to manage. The breaches not only reveal technical vulnerabilities but also highlight a troubling lack of transparency and accountability from the company.

Two breaches, one pattern of denial

The first reported incident, which occurred in early March, involved Oracle Cloud, a service used by millions of customers worldwide. A hacker going by the handle “rose87168” offered data belonging to six million Oracle Cloud customers, including authentication credentials and encrypted passwords. Despite mounting evidence, Oracle initially denied any breach, claiming, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” This response drew immediate backlash from cybersecurity experts. Kevin Beaumont, a prominent cybersecurity expert, was critical of Oracle’s handling of the situation. Beaumont wrote in a blog post, “Oracle is attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay.” He emphasized the importance of clear communication, stating, “Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it.”

Healthcare data breach: Extortion attempts and opaque responses

The second breach, reported in late March, involved Oracle Health, a subsidiary providing technology solutions for the healthcare industry. This breach, which affected patient data from hospitals and other healthcare providers, has been the subject of intense scrutiny. Oracle Health provides services for accessing health records online, and in this case, hackers managed to access sensitive patient information stored on an old legacy server not yet migrated to the Oracle Cloud. Bloomberg and Bleeping Computer reported that the breach involved unauthorized access to Oracle servers, leading to the theft of patient data. Hackers are reportedly attempting to extort millions of dollars from affected healthcare organizations. Oracle notified some of its customers of the breach in March, but the response has been far from reassuring. An Oracle employee, who requested anonymity, told TechCrunch, “My team was not able to access customers’ environments for a number of days. My concern is not just with patient data breach. Access through hosts allows any and all access to what is hosted, obviously.”

Frustrating lack of transparency

The lack of transparency in Oracle’s responses has been particularly concerning for both customers and employees. The unnamed Oracle employee further described the situation, saying, “I felt super ignored. The company seemed to be saying, ‘Nothing to see here, move right along.’” The employee recounted how they had to rely on internal Slack channels and Reddit posts to gather information about the breach, a stark contrast to the professional crisis management that is expected from a major tech company.

Larry Ellison’s surveillance ambitions in question

Oracle’s handling of these breaches comes at a time when Larry Ellison is aggressively pushing the company to become a central player in the AI surveillance and data management sector. In a presentation just a month before the breaches, Ellison outlined plans to centralize vast amounts of data, including DNA records, and to implement AI-powered surveillance systems to monitor citizen behavior. These ambitions are now under heavy scrutiny, with many questioning Oracle’s ability to secure the sensitive data it seeks to handle. Cybersecurity expert Lisa Forte echoed these concerns, stating on Bluesky, “if this ends up being true, and I struggle to see how it won’t, this is a very very bad look.”

Historical context and the future of data security

These breaches are part of a broader trend in the tech industry where data breaches and cybersecurity failures are becoming more frequent. While Oracle is not alone in facing these challenges, its position as a major player in both cloud computing and healthcare technology makes these incidents particularly concerning. Historical context shows that the tech industry has been slow to adopt strong cybersecurity practices, and Oracle’s reputation is further hurt by its failure to communicate effectively with both customers and employees. In conclusion, Oracle’s recent data breaches and its opaque response highlight serious issues of trust and accountability within the tech industry. As the company continues to position itself as a leader in AI surveillance and data management, its ability to protect sensitive information is crucial. The tech community and its customers will continue to watch Oracle closely, and until they see clear, transparent steps to address these issues, confidence in the company’s capabilities will remain severely shaken. Sources include: ReclaimTheNet.org BleeepingComputer.com TechCrunch.com