Comment by ziddoap
10 days ago
>BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.
> It's not like there are any real penalties to a breach.
Not in the US maybe. In the EU under GDPR you have to disclose within 48h of you realizing (or made aware of) the breach.
There are fines (at least) if you don't disclose it afaik.
Oracle is gonna have issue with the EU, most likely.
Maybe the EU wasn't on the Signal group chat when Oracle notified The Atlantic of the breach
[flagged]
SEC Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules - https://www.sec.gov/files/33-11216-fact-sheet.pdf
I mean it's true that there's a rule, but at this point in US history I think we have reason to be sceptical that it will be enforced.
2 replies →
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
Several of the fines have been in the hundreds of millions of dollars - and while not crushing to Oracle, that's actual money that will definitely change behavior.. https://www.enforcementtracker.com/
8 replies →
In the UK, and I presume the EU also, the fines for losing customer data are set as a % of company annual worldwide turnover.
https://ico.org.uk/for-organisations/law-enforcement/guide-t...
7 replies →
> Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue?
Not yet, hopefully soon: under some circumstances GDPR fines can go up to 6% of gross earning (ebitda) iirc.
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
This just in... /s
Seriously though, Sullivan lost his appeal. You should have read up on this.
https://www.courthousenews.com/wp-content/uploads/2025/03/us...
What exactly is the point you are trying to make?
He got in trouble for obstruction of justice and misprison of felony for trying to cover up a breach. Not because there was a breach.
There are basically no punishments for a breach itself. But yes, if you obstruct authorities who investigate, you can get in trouble.