Oracle’s Breach Double Header
4–7–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 7, 2025, and I’m just here to tell you that you’re not alone - we’re all trying not to refresh the news or stock quotes obsessively. For the next few minutes, let’s talk about cybersecurity.
Oracle’s Breach Double Header
While there might not be that many Oracle customers in our “middle market” segment here on this show, I think it’s wroth talking through what’s been happening at Oracle over the past week and change.
Since March 21, Bleeping Computer and others have been reporting on a threat actor named rose87168 claiming to have breached some Oracle services inside *.oraclecloud.com
According to Bleeping Computer, Oracle’s denial of this breach was categorial: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
They are now reporting that “Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a "legacy environment" last used in 2017, and Bloomberg has confirmed this reporting.
While Oracle was busy denying this breach, they suffered a second breach in their Oracle Health offering - created after they acquired EHR provider Cerner and merged it into a single offering.
Here, “Oracle says that the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. This stolen data "may" have included patient information from electronic health records.”
Meanwhile, “multiple sources told BleepingComputer that it was confirmed that patient data was stolen during the attack” and “Oracle Health is also telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPAA laws and whether they are required to send notifications.”
So, Oracle is getting a lot of practice in what appears to be shirking responsibility and passing the buck for their incidents. What lessons should that teach us?
Well, to start, it should help us re-focus our efforts on the critical third party providers that we use. We can’t prevent them from having breaches, of course, but we can build in mechanisms to better deal with them.
This includes having contingency plans, and also an accurate inventory of the data we’re sharing with these providers in the case that we need to do notifications ourselves.
Furthermore, I think it’s entirely reasonable to read the regulatory tea leaves here - Oracle has yet to file an 8-K as required by SEC regulation, and seems to be pushing HIPAA notifications down to impacted hospitals, perhaps because they see the cuts taking place at HHS reducing their Office of Civil Rights’ ability to enforce HIPAA regulation.
The other lesson from Oracle’s no good very bad week revolves around our own authentication and authorization practices. Bloomberg is reporting “Oracle staff informed some clients this week that the attacker gained access to usernames, passkeys and encrypted passwords” - which means we’ve got an opportunity to rotate those credentials so that any disclosed passwords, passkeys, encrypted passwords, hashes, or anything else are no longer a risk for us.
Again, we need to re-trench our focus on the basics (which includes Third Party Risk Management - TPRM - and Identity and Access Management - IAM). We can’t solve the world’s problems, but we can reduce the impact they have on us.
Being resilient is only going to get harder, so the sooner we start building resilience, the better.
Fundraising
From a fundraising perspective, we saw more than $12.5B in newly committed capital last week, but we also saw a couple of other interesting notes.
First, we talked last week about how the private markets might not be such a bad place to be - and our friends at Klarna have decided the same, having chosen to delay their Initial Public Offering.
That said, we also saw a piece in the Financial Times entitled “Big investors look to sell out of private equity after market rout” - reporting that “Large institutional investors are studying options to shed stakes in illiquid private equity funds after the rout in global financial markets pummelled their portfolios.”
The FT writes that “pensions and endowments [are] seeking ways to exit their investments, probably at discounts to their stated value” and that “the race to find liquidity signals that investors in private equity funds increasingly expect to receive few cash profits from their holdings this year and may face liquidity pressures that cause them to further retrench from making new investments.”
2025 is going to be a volatile year - for all of us. Everyone is looking for ways to reduce their exposure to that volatility, and I suggest you and I both plan accordingly.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.bleepingcomputer.com/news/security/oracle-privately-confirms-cloud-breach-to-customers/
https://www.govinfosecurity.com/rfk-jr-cuts-at-hhs-affect-hipaa-cyber-response-units-a-27853
https://www.axios.com/pro/fintech-deals/2025/04/04/klarna-ipo-delay
https://www.ft.com/content/b7c5aea6-c429-4917-bf35-a4f1b3159f85