Oracle Cloud breach: Lessons on public cloud risk
Oracle Cloud appears to have fallen victim to a breach by threat actors for the second time in two months. Despite their size, large Cloud providers may not be the safest option for firms.
Written by a human
In brief:
- Public cloud provider, Oracle has informed some customers that may have accessed its cloud and stolen PII, the second such breach is as many months
- FINRA has warned firms that “data stored in the Oracle Cloud Platform could be vulnerable”
- As large, public cloud providers face outages and security breaches, we take a look at the key lessons to learn
Public cloud provider, Oracle, has informed some customers that a hacker gained access to its system and stole Personally Identifiable Information (PII). On April 1, 2025 – in guidance that many may have hoped to be an April Fool’s joke – the Financial Industry Regulatory Authority (FINRA) announced that firms “should be aware of an alleged large-scale data breach possible affecting Oracle Cloud services.”
Oracle has so far publicly denied the breach. A spokesperson for Oracle told cybersecurity news firm SecurityWeek,
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, Bloomberg has now reported that Oracle is privately contacting customers to inform them of a breach, and that CrowdStrike and the Federal Bureau of Investigations (FBI) are investigating.
This is the second time in as many months that the public cloud provider has encountered security issues. In February, an unidentified person was found to be selling data stolen from Oracle cloud servers. This latest data breach is separate to the initial incident, and appears to be the result of an attacker gaining access to Oracle Cloud through a legacy technology platform.
FINRA’s response to Oracle’s cloud breach
According to FINRA, a “threat actor” has advertised almost six million data records for sale, with claims that the PII came from Oracle Cloud’s federated Single Sign On (SSO) login servers. While FINRA has not yet verified the validity of the claims, it notes that:
“Data stored in the Oracle Cloud Platform could be vulnerable.”
Amid Oracle’s denial of the incident, the threat actor has attempted to verify that the data is from Oracle Cloud by posting data samples and lists of 140,000 compromised domain names. Representatives from some of the listed organizations have confirmed that the data is genuine and was hosted on a production environment of Oracle Cloud.
FINRA has suggested that firms review its guidance on the incident and assess any potential impact to their operations, as well as the operations of any third-party service providers. It notes that large-scale data breaches “continue to target the financial services sector” and suggests that firms review FINRA’s documentation about cyber incidents.
Lessons learned from the public cloud attack
Organizations often opt for large, public cloud offerings on the grounds that they’re a ‘safe bet,’ as public cloud architectures must reach a high bar of security and resiliency as they hold huge amounts of critical data, making them tempting targets.
However, this latest breach of Oracle’s infrastructure is the latest in a series of events that would suggest that large cloud offerings may not be as safe as assumed. Last year, 8.5 million Microsoft devices were rendered unusable after an IT outage driven by a CrowdStrike update. Now, the PII of perhaps millions of individuals is vulnerable, owing to a hacker’s ability to access a public cloud organization.
This latest development is a cautionary tale, and one that carries three key lessons for financial services:
Bigger isn’t always better
As the Oracle Cloud breach shows, the size of a company doesn’t guarantee security. Often, large cloud providers build their technology on a patchwork foundation of legacy platforms, integrating multiple new acquisitions and bolt-ons. This leaves ‘gaps’ in systems that can be vulnerable to attack. As seen in the recent Oracle breach, an individual was able to gain access to PII through legacy technology platforms.
As some firms scale their technology, they lose sight over the entire data ecosystem, meaning that apparently impenetrable data stores become vulnerable. When choosing a cloud service provider, firms should look further than brand name. They should be checking security credentials, history of breaches, and working to understand how technology stacks have evolved.
Third-party risk can increase with scale
The Oracle Cloud hack not only raises questions about data security, but also highlights the importance of third-party risk mitigation. FINRA’s guidance asked firms to assess their operations and the operations of third-party providers.
In the event of a data incident, firms need to understand how that incident affects the overall running of their business. If they rely on a network of third-party providers to deliver critical services, operational resilience can be difficult to achieve. After all, the more third parties a firm relies on, the greater the potential scope of damage – the more links in a chain, the higher the chance of a weak one. When selecting technology providers, firms should look at vendors that are able to deliver end-to-end services to minimize their third-party network and, in turn, mitigate third-party risk.
Support and accountability matters
In a move that is perhaps uncharacteristic of data-centric organizations, Oracle is yet to take public accountability for the breach. At the time of writing, Oracle had not taken responsibility for the leaked data, despite FINRA warnings. Similarly, they have openly denied that the data breach is owing to lapse security at their firm – while simultaneously contacting customers about breached data.
How an organization responds to crises is often indicative of the service a customer receives. In the event of a data governance incident, organizations should be guided and offered support through the implications of that incident, not struggling to understand whether or not their data was compromised. The information some service providers share about data breaches can be cloudy – when what firms need is clarity.
Global Relay has built our own cloud from the ground up. We understand where your data is stored, own the infrastructure that allows us to store it, and have unparalleled security to ensure your data is never lost and never compromised.
