Oracle Breach Fallout Piles Up, Class Action Filed

Oracle has come under fire after it quietly acknowledged a cyberattack on its public cloud infrastructure, resulting in the theft of customer data. A class action, Michael Toikach, individually and on behalf of all others similarly situated, Plaintiff v. Oracle Corporation, has been filed in Texas.

Iain Thomson reports in The Register that this admission contradicts Oracle’s initial public denials following online claims of a breach.

Along with the class action, the incident has triggered internal investigations and external scrutiny. It raises serious concerns about cloud security, corporate transparency, and Oracle’s legal obligations.

In late March, a hacker known as “rose87168” claimed to have breached Oracle’s login servers, stealing around six million records containing sensitive customer data, including security keys and credentials.

The stolen data, allegedly affecting thousands of organizations, was listed for sale on a cybercrime forum. Oracle initially denied the breach.

However, cybersecurity experts verified the stolen data’s authenticity, tracing the breach to an unpatched vulnerability (CVE-2021-35587) in Oracle Access Manager.

Oracle has since begun quietly notifying some affected customers and brought in the cybersecurity firm CrowdStrike to investigate. The company claimed the compromised server contained outdated data from eight years ago, although at least one customer reported theft of login data from 2024.

The FBI is now reportedly involved. Notably, this breach is separate from another incident involving Oracle Health, which the company has yet to address. Oracle’s failure to disclose the breach promptly may also put it at odds with data protection laws like the General Data Protection Regulation (GDPR), which could result in a fine of up to four percent of global revenue.

Legal teams advising clients on cloud services should evaluate contractual obligations regarding data security and disclosure timelines. Firms should also monitor evolving legal risks around data privacy laws such as GDPR and Health Insurance Portability and Accountability Act (HIPAA) to guide clients facing similar incidents or regulatory scrutiny.