Oracle Breached: 6M Records Stolen, Patient Data Exposed – What Went Wrong?
Key Points
- Research suggests Oracle faced two major breaches in early 2025: one affecting Oracle Cloud Classic and another impacting Oracle Health, compromising customer and patient data.
- It seems likely that the Cloud breach involved 6 million records, including credentials and an internal meeting video, while the Health breach exposed sensitive patient data from U.S. healthcare organizations.
- The evidence leans toward these breaches highlighting vulnerabilities in legacy systems, with Oracle initially denying and later acknowledging the issues, raising transparency concerns.
- There is controversy around Oracle’s handling, with a class-action lawsuit and potential regulatory fines under discussion.
Overview
Oracle, a leading cloud and enterprise software provider, experienced significant security breaches in early 2025, affecting both its cloud infrastructure and healthcare services. These incidents have raised concerns about data security and transparency, impacting customers and patients alike.
Oracle Cloud Breach Details
The Oracle Cloud breach, claimed by hacker “rose87168,” involved the theft of approximately 6 million records, including customer data, user credentials, and an internal meeting video. It began in January 2025 and was detected in late February, likely exploiting a known vulnerability, CVE-2021-35587, in Oracle Access Manager.
Oracle Health Breach Details
Simultaneously, an old legacy server hosting healthcare data was breached, compromising patient information from organizations like the Department of Veterans Affairs and U.S. Coast Guard, discovered around February 20, 2025.
Implications and Response
Oracle initially denied the Cloud breach but later acknowledged it privately, claiming the data was outdated, though evidence suggested otherwise. The Health breach saw limited public disclosure, with customers left to notify patients. These incidents have led to legal actions and potential regulatory scrutiny.
Detailed Analysis of Oracle Cloud Breach
The Oracle Cloud breach was brought to light by a hacker using the alias “rose87168,” who claimed responsibility for stealing approximately 6 million data records. The stolen data included:
- Customer records, encompassing personal and organizational information.
- User credentials, such as usernames, passkeys, and encrypted passwords.
- A video from an internal Oracle meeting, indicating deep system access.
The timeline of the breach indicates it began as early as January 2025, remaining undetected until late February 2025. The method of attack likely involved exploiting CVE-2021-35587, a known vulnerability in Oracle Access Manager, part of Oracle Fusion Middleware. Further analysis suggests the use of a 2020 Java exploit to deploy a web shell and malware on Oracle’s Gen 1 servers, pointing to persistent access techniques.
Oracle’s initial response was to deny the breach, stating publicly that “no Oracle Cloud customers experienced a breach or lost any data.” However, private notifications to affected customers later acknowledged the incident, attributing it to Oracle Cloud Classic, a platform discontinued since 2017. This claim was contradicted by evidence from the hacker, who shared data samples on BreachForums, including records from 2024 and 2025, suggesting the data was not outdated.
Security firms like CloudSEK, Hudson Rock, and Trustwave analyzed the leaked data and confirmed its origin from Oracle’s production environment. This breach highlights several critical issues:
- Legacy System Vulnerabilities: Oracle Cloud Classic, being an older platform, lacked modern security controls, making it a target.
- Exploitation of Known Vulnerabilities: The use of CVE-2021-35587 underscores the importance of timely patching, as this flaw was documented but apparently unaddressed.
- Detection Delays: The breach went unnoticed for weeks, indicating potential weaknesses in Oracle’s monitoring and incident detection capabilities.
Detailed Analysis of Oracle Health Breach
The second breach targeted an old legacy server hosting healthcare data, not yet migrated to Oracle Cloud. The scope of data stolen included sensitive patient information from multiple U.S. healthcare organizations, such as:
- Department of Veterans Affairs
- U.S. Coast Guard
- Department of Defense
The breach was discovered around February 20, 2025, with the method involving unauthorized access to the legacy server. Specific exploit details remain unclear, but the incident mirrors the Cloud breach in targeting outdated infrastructure.
Oracle’s response was to inform affected healthcare customers, emphasizing that this breach was unrelated to the Cloud incident. However, public disclosure was limited, and Oracle left it to healthcare providers to notify impacted patients, potentially delaying transparency. The exposure of personally identifiable information (PII) and personal health information (PHI) raises significant regulatory concerns, particularly under HIPAA, which could lead to fines and further scrutiny.
Legal and Financial Implications
The breaches have triggered legal and financial repercussions for Oracle:
- Class-Action Lawsuit: Oracle faces a lawsuit alleging negligence, breach of contract, and unjust enrichment. Plaintiffs seek compensatory damages and mandated security improvements, citing Oracle’s failure to secure data and conceal the breach.
- Regulatory Risks: Potential fines under GDPR for European customers and HIPAA for health data breaches are likely, given the exposure of sensitive information.
Lessons Learned and Recommendations
For Oracle
- Legacy System Security: Organizations must secure or decommission legacy systems to prevent exploitation. Modern security controls like encryption, robust access management, and network segmentation are essential.
- Transparency and Communication: Timely and transparent disclosure is critical to managing breach fallout and maintaining customer trust. Oracle’s initial denial and attempts to remove evidence from the Internet Archive’s Wayback Machine have damaged credibility.
- Vulnerability Management: Regular vulnerability scanning and patch management are non-negotiable, especially for known exploits like CVE-2021-35587.
For Customers
- Credential Reset: Immediately reset all credentials in Oracle Cloud SSO, LDAP, and encrypted configuration files to prevent misuse of stolen data.
- Log and Behavior Review: Conduct thorough reviews of access logs, authentication records, and application behavior to identify anomalies indicating compromise.
- Enhanced Monitoring: Implement real-time monitoring using SIEM tools to detect suspicious activity promptly.
- Data Verification: Use tools from security firms like CloudSEK to check if your organization’s data was exposed in the breach.
- Third-Party Risk Management: Reassess Oracle’s security practices and consider diversifying cloud providers to reduce dependency.
Technical Insights for Security Professionals
- Exploitation Details: CVE-2021-35587 allowed remote code execution if unpatched, emphasizing the need for regular vulnerability assessments. The 2020 Java exploit likely involved deserialization flaws, common in older Java-based systems, with web shells indicating persistent access.
- Detection Techniques: Monitor for unusual outbound traffic (e.g., data exfiltration) or new processes on servers (e.g., web shells). Use endpoint detection and response (EDR) solutions on legacy systems to enhance visibility.
- Mitigation Strategies: Deploy least privilege principles, network segmentation, and harden systems to limit attack surfaces.
Summary Table of Breaches
| Aspect | Oracle Cloud Breach | Oracle Health Breach |
|---|---|---|
| Date Discovered | Late February 2025 | Around February 20, 2025 |
| Data Compromised | 6M records, credentials, internal video | Patient data from VA, Coast Guard, DoD |
| Method | Exploited CVE-2021-35587, 2020 Java exploit | Unauthorized access to legacy server |
| Oracle’s Response | Initially denied, later acknowledged privately | Notified customers, limited public disclosure |
| Key Issue | Legacy system vulnerability, detection delay | Legacy system risk, regulatory implications |