from Hacker News

Oracle attempt to hide cybersecurity incident from customers?

by 2bluesc on 3/31/25, 3:11 PM with 127 comments

  • by legitster on 3/31/25, 5:59 PM

    If you are already a customer of Oracle, I can't imagine this matters to you. You did not choose Oracle because it was a good product and they are a good company. You are a customer of Oracle because there was a backroom executive deal with the Devil. No one is surprised or outraged or even has any choices.

  • by nerdjon on 3/31/25, 4:18 PM

    This is honestly wild.

    Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).

    Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?

    Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.

    I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:

    > On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.

  • by autoexec on 3/31/25, 4:19 PM

    There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.

  • by prdonahue on 3/31/25, 6:56 PM

    We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.

    I asked for an incident report and received this terse response:

    > There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.

  • by mrbluecoat on 3/31/25, 5:31 PM

    > NetSuite will indemnify Customer up to an amount equal to five (5) times the equivalent of 12 months of license fees applicable at the time of the event, from and against any Losses incurred by Customer

    https://www.sec.gov/Archives/edgar/data/1428669/000119312508...

  • by mentalgear on 3/31/25, 4:21 PM

    Ah, another notch in the belt for Larry Elison's Oracle data security scandals.

    Matches Larry's other political and societal scandals.

  • by xyst on 3/31/25, 7:02 PM

    This is a deliberate attempt to cover up their incompetence. It should be criminal to deceive the public and your _paying_ customers.

    Executives need to go to jail. People need to be fired.

    This won’t happen though, definitely not under this current administration.

  • by islanderfun on 3/31/25, 5:15 PM

    Post-truth era is wild. But this seems like standard Oracle behavior for a while now.

  • by richwater on 3/31/25, 3:47 PM

    Pretty on par for what I expect from Oracle. I'm surprised there's no corporate contracts involved yet.

  • by aurizon on 3/31/25, 6:10 PM

    Create a 'Wicki-hacks.com', like Wikipedia, where incidents are listed in detail - anonymously and indexed akin to Wikipedia with editors that create and verify an incident is such a way that Horacle etc can not deny or get it taken down

  • by MPSFounder on 3/31/25, 3:48 PM

    Oracle is notoriously stingy. They'd rather lose the data, pay a fine and deny it happened (settle), than own up for it.

  • by homiedk on 3/31/25, 5:25 PM

    The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently: - no passive network monitors showing an unknown IP/Mac/Location - no SOAR to kill off the attempts to gain a foothold/move laterally - no alerts on above or anything else in the SOC

  • by tmpz22 on 3/31/25, 5:28 PM

    Its times like this Oracle needs to lean on its good reputation and ask for forgiveness from the customers they've been loyal to for so long.

  • by 1970-01-01 on 3/31/25, 5:15 PM

    I hear fines are up to thousands of dollars now..

  • by layman51 on 3/31/25, 11:00 PM

    The scary thing is that Oracle is able to take down items from Archive.org.

  • by terom on 3/31/25, 4:22 PM

  • by NickC25 on 3/31/25, 4:04 PM

    how is that not securities fraud?

    they are under legal obligation to tell investors about this sort of shit.

  • by LZ_Khan on 3/31/25, 7:50 PM

    Annnnd this is why Google bought Wiz huh.