You have the right to remain silent...except when you are a major tech vendor, like Oracle, at the center of serious breach allegations, according to some cybersecurity professionals.
In late March, Oracle made headlines after a threat actor by the alias of rose87168 claimed on BreachForums that it had six million records obtained from Oracle Cloud’s single sign-on (SSO) and lightweight directory access protocol (LDAP) systems for sale.
However, despite mounting evidence supporting the breach allegations and a class-action lawsuit filed against the tech giant in the US District Court for the Western District of Texas in relation to the matter last week, Oracle largely declined to elaborate on or even confirm the incident at first. The tech giant previously told several publications, including The Register and Dark Reading, that the published credentials are not for Oracle Cloud and no breach has occurred.
Bloomberg reported on April 2 that the vendor informed some customers that an attacker had gained access to a “legacy environment” that hadn’t been used in eight years, and that the FBI and CrowdStrike were investigating the incident. Oracle did not immediately respond to IT Brew’s requests for comment on the alleged breach.
Breach of trust. Oracle’s muted public response has left some, like Deepblue Cybersecurity founder and CEO Ofer Shaked, scratching their heads.
“What we hear from Oracle is, ‘We were not breached,’ over and over again…and the evidence says a completely different story,” Shaked said. “This gives me a feeling of a lack of trust.”
Shaked added that Oracle’s choice to seemingly remain mute as a malicious actor continues to sound off with the public is also peculiar.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We see a lot of communication coming from the threat actor and zero communication from Oracle,” Shaked said. “I also find this a little bit odd.”
*Alleged* breach etiquette. Nimrod Kozlovski, founder and CEO of Cytactic, a cyber crisis readiness and management startup, speculates that Oracle has chosen its course of action because it is unable to scope the full extent of the alleged attack. However, Kozlovski said that a lack of clear and transparent communication opens up the door for rumors to circulate.
“We have more speculations than actual facts of what has happened,” he said.
Kozlovski pointed out that organizations can actually win over the trust of customers when they exhibit good communication during an incident. He referenced SolarWinds, which underwent a supply-chain attack in 2019, as a good example of this. Sudhakar Ramakrishna, CEO of the targeted software company, told InformationWeek that the company had a customer retention rate of 97% last year.
In a pickle. Some things are easier said than done. Kozlovski told us that it can be a “delicate dilemma” for organizations in a crisis to decide how best to proceed after discovering a potential security snafu in a way that appeases its stakeholders, while protecting the company from further damage or liability.
“Sometimes you need to decide if you’re better off in having the right messaging out there that would actually help you to protect your reputation,” Kozlovski said. “You might actually restrict some information or not disclose [it] because it might help you either for better investigation…or sometimes even in order to shield you from liability.”