Opinion Oracle is being accused of poor incident comms as it reels from two reported data security mishaps over the past fortnight, amid a reluctance to publicly acknowledge all of the events as well as allegedly deleting evidence from the web.

First, on March 20 , an attacker claimed they’d broken into its login servers and stole information. The cloudy ERP biz denied it the next day. By March 25, infoseccers disputed that after going through samples line by line. By Sunday March 30 , Oracle Health customers reportedly leaked a notification sent to them that a criminal had broken in and stolen legacy Cerner data not yet migrated to Oracle’s cloud. Oracle has not yet responded publicly to news of that notice’s leak.

Infosec experts Kevin Beaumont and Jake Williams later both claimed that Oracle appears to have used the Internet Wayback Machine’s archive exclusion process to remove evidence about the intrusion.

Denial and potentially deception and destruction. We rarely get all three when it comes to bad breach disclosures, and these can turn what should be a routine comms exercise into a veritable PR disaster.

There have been some disclosure stinkers in the past. Back in 2016, The Reg discovered that Yahoo! had taken a few years to disclose security snafus that occured in 2013 and 2014, for example. These days we often see organizations simply choose not to publicly address their issues. A quick self-referral to the regulators and some letters sent directly to those affected pass as the bare minimum, and while these organizations won’t get any Brownie points for transparency, the approach doesn’t tend to invite too much in the way of long-lasting criticism either.

When Oracle issued its flat-out denial of the first breach allegations that surfaced from cybercrime forums, it seemed like it was yet another wannabe big-time scriptkiddie making false claims for clout.

Yet when high-profile security pros seemed comfortable enough to publicly call foul on its response, it started to look quite bad for Big Red.

To make matters worse, Oracle seemingly tried to swerve any flak with some careful semantics. Its original denial stated: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Infoseccer Beaumont, aka “GossiTheDog”, later pointed out that he believed Oracle was trying to, in his words, “wordsmith” its statements in specific ways to avoid responsibility. Beaumont noted that Oracle distinguishes Oracle Cloud from Oracle Cloud Classic, and claimed the breach likely stemmed from the latter.

We asked Oracle about this, but it did not respond.

So we have denial and seeming deception, and reports of destruction coming after Big Red was accused of trying to remove online evidence of attacker rose87168’s alleged compromise of the system that could be seen on the Internet Wayback Machine. Whether or not the requests came from the company, the full range of URLs were not scrubbed, however, and the attacker’s email address left behind as “proof” can still be seen today.

And that’s just Oracle Cloud / Cloud Classic. Multiple Reg reporters are still waiting for responses to our questions following the suspected incident at Oracle Health, one which the FBI is reportedly on site handling.

All things considered, Oracle’s response might go down as one of the all-time lows in the genre.

Simple, clear communications can quell gloomy news stories and customer concerns. Oracle has chosen to flip that on its head, fueling the kind of negativity that disaster recovery plans are meant to help prevent.

Unlike other components of a solid disaster recovery plan – ensuring the availability of updated, immutable backups, and conducting disaster simulation exercises to test a plan’s efficacy – communications are generally straightforward.

The hard work should be focused on keeping customers happy and onside, rather than deploying carefully worded statements that might be interpreted as skirting the line between truth and deception.

Of course, public companies like Oracle have the added concern of protecting shareholders’ interests – a type of stress organizations like the British Library, whose response to its 2023 ransomware attack set the industry’s gold standard, don’t have to endure.

In the short-term, however, the victims of sticky security events which choose to neglect the quality of their public response pay for it with their reputation, and Oracle’s is the latest case supporting that fact.

For those who want to learn how to improve their disaster plans for the better, the UK’s NCSC has a guide on why transparent incident disclosures are beneficial for organizations and the country’s overall cyber resilience.

It says: “Being open about an attack by seeking support and communicating openly with the NCSC and ICO in the days following it can only help you, while sharing information about the attack with your trust communities later on will ultimately improve the threat landscape for everyone.”

In short, transparency is best. Near-silence can also do the trick. But you’ll likely lose some customers’ trust, which matters. ®