If you are already a customer of Oracle, I can't imagine this matters to you. You did not choose Oracle because it was a good product and they are a good company. You are a customer of Oracle because there was a backroom executive deal with the Devil. No one is surprised or outraged or even has any choices.
Anytime Oracle is brought up is a great time to repost the famous Lawnmower quote:
> "As you know people, as you learn about things, you realize that these generalizations we have are, virtually to a generalization, false. Well, except for this one, as it turns out. What you think of Oracle, is even truer than you think it is. There has been no entity in human history with less complexity or nuance to it than Oracle. And I gotta say, as someone who has seen that complexity for my entire life, it's very hard to get used to that idea. It's like, 'surely this is more complicated!' but it's like: Wow, this is really simple! This company is very straightforward, in its defense. This company is about one man, his alter-ego, and what he wants to inflict upon humanity -- that's it! ...Ship mediocrity, inflict misery, lie our asses off, screw our customers, and make a whole shitload of money. Yeah... you talk to Oracle, it's like, 'no, we don't fucking make dreams happen -- we make money!' ...You need to think of Larry Ellison the way you think of a lawnmower. You don't anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it'll chop it off, the end. You don't think 'oh, the lawnmower hates me' -- lawnmower doesn't give a shit about you, lawnmower can't hate you. Don't anthropomorphize the lawnmower. Don't fall into that trap about Oracle." - Bryan Cantril
I use Oracle Cloud for my personal projects because of their generous free tier[1] which includes 4x Ampere A1 cores, 24 GB of RAM, and 10 TB of outbound data transfer per month.
I was ready to jump ship if they changed the terms, but I was not expecting a security incident.
I was talking to a customer in a construction company that had its entire internal project management platform sold to Oracle. < This was why they couldnt manage their end of a large project.
Oracle futzed it, and after a complete roll of the construction firms board of directors, they were in negotiations to buy their own program back for twice the price.
I've started seeing ads for Oracle OCI in some podcasts I listen to so I think they are starting to see if they can attract customers outside of their "enterprise sales process".
I'm not sure who those ads are supposed to appeal to besides the podcasts hosts raking in the ad dollars.
I haven’t seen the ads, but Oracle Cloud is definitely the public cloud provider with the most generous free tier. That’s not to say you should use and trust them, but I can see why many would.
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
I'm guessing nobody chooses to work with Oracle anymore for reasons or in situations that we would consider reasonable. It's probably either governments contracts, with or without corruption, companies already locked in, contracts made by executives that don't really understand technology, that sort of thing.
I worked as a contractor for the Wisconsin state government and they had hundreds of Oracle databases that they were consolidating on the Oracle EXADATA11 servers. Insane having hardware that can only run Oracle but the Oracle DBA said that the Exadata was dozens of times faster than Oracle on VMware VMs.
Actually, it is mostly companies who are too reluctant to change. If it works, keep it as is, even if better technologies are the norm nowadays. Maybe this will help them move away from this obsolete Larry Ellison crapshot
> Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
I think you're coming at this from the wrong point of view. Oracle couldn't care in the slightest about what regular people think of them. Remember, they are the company that sent lawyers after the employers of folks who downloaded non-free but bundled by default extensions to VirtualBox, and the company that declared that you need to license every core their software could _potentially_ run on in your virtualisation estate (so if you have a 8 vCPU VM for some Oracle software, you need licenses for however many physical cores you have on your cluster). They've variously been described as a law firm with an engineering side business, and One Rich Asshole Called Larry Ellisson. Speaking of whom, he multiple times flat out lied on stage to make his shitty "cloud" nobody cares about seem relevant compared to AWS.
Nobody buys Oracle because they like them or their good reputation. You buy them because you have legacy stuff that depends on them and you have no choice (even Amazon took many years to get off Oracle databases, and they wrote a gloating success story one they were done with it because they were that happy to be rid of the leeches), or because your bosses' boss was convinced at a golf course they're getting a good deal. Or because their bandwidth is very cheap and you accept the risk of dealing with the devil incarnate with zero morals. (cf. Zoom).
Oracle is like Broadcom. Everyone hates their guts, everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
> everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
This is just your opinion. Most people I know who work there feel just fine if not very happy. Pay/benefits are good. Work is about same everywhere. In fact depending on group there maybe good, challenging technical work there.
As far as CV is concerned working there is mostly positive or at best neutral in term of job change.
> Nobody buys Oracle because they like them or their good reputation.
Oracle is quite expensive but they have reputation of solid database for enterprise workloads.
Also their cloud business is doing fine and growing and not irrelevant. One can see that from their quarterly results.
My wife is a hospital pharmacist. Cerner is a poular EMR system, is ~#2 in the market (behind Epic). These systems are ridiculously difficult to change between (everyone from your front-check-in desk to every surgeon who has privileges needs to be trained on how the new system works in addition to the technical problems with ETL'ing all your data over, and each hospital has an enormous amount of customization done to their workflows that has to be ported over to the new system)- she's done that twice at two different places and it was a huge, process, 18 months minimum. So these EMR's have an enormous amount of lock-in.
The punchline is, in 2022 Oracle purchased Cerner, renamed it Oracle Health, and started accelerating the process of enshittifying it. I have to tip my hat to them, it's like their BizDev team found a market segment that had as much lock-in as SQL databases do, and are now trying to replicate all the evil tricks they learned from that in another market segment. Because what are hospitals but giant bags of money to be drained so Larry Ellison can buy another yacht?
Security incidents have become so common place that the fact that they happen is not the newsworthy event; rather, its how a company responds to them that is the newsworthy event. And Oracle flunked this test
Note that it was an almost 4 year old already disclosed CVE which was used. Oracle messed up, big time. That's why they're trying to get rid of all incriminating evidence for potential lawsuits.
My guess is that admitting a security incident triggers lots of contractual clauses.
They have probably decided it's cheaper to simply deny the event (therefore not triggering those clauses).
If it gets to court, Oracle will find some expert who says there was no incident, and the other side will present clear evidence there was an incident, but the non-technical judge will probably still not be sure.
That's why in Europe there are strict laws regarding lax security of customer data and companies can be fined with a percentage of their turnover - which in the case of Oracle could hurt a bit.
There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
While that's true, many enterprise customers are going to have MSAs with notification requirements that have contractual punishments for failure to notify of material security incidents. Those are probably what Oracle is trying to avoid.
I believe enterprise customers are not going to care much unless it helps with lowering existing costs.
OTOH, Oracle as part of BSA can demand an audit so they will inflict / make up reason to also punish (i.e. licensing or pull support). The business could invoke an MSA punishment clause and win temporarily but it will cause a headache going forward (further demands from Oracle, higher costs etc.)
It would help, but it'd be better for everyone if there was just one law to worry about which covered everyone (or at least set a minimum standard) rather than having 50 different versions of the same law all over the country each with their own definitions, thresholds, penalties, etc. It'd make things a lot less complicated for both companies and consumers, especially given how often a single company's data being exposed impacts people all over the nation.
We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.
I asked for an incident report and received this terse response:
> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.
Per article, Oracle has hastily rebranded the breached service as "Oracle Classic", for the sole purpose of being able to claim with a straight face that "Oracle Cloud" was not impacted.
> NetSuite will indemnify Customer up to an amount equal to five (5) times the equivalent of 12 months of license fees applicable at the time of the event, from and against any Losses incurred by Customer
Tangential, but there’s an old interview with Ellison where he said that Amazon would never be able to get off of Oracle DB because it’s too critical a piece of software. This was in response to Amazon announcing it was something they had planned.
Amazon got it done ahead of schedule and there’s a video of them popping champagne to celebrate when they shut the last server down.
I’m not a big Amazon fan, but the enemy of my enemy is my friend.
Create a 'Wicki-hacks.com', like Wikipedia, where incidents are listed in detail - anonymously and indexed akin to Wikipedia with editors that create and verify an incident is such a way that Horacle etc can not deny or get it taken down
The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently:
- no passive network monitors showing an unknown IP/Mac/Location
- no SOAR to kill off the attempts to gain a foothold/move laterally
- no alerts on above or anything else in the SOC
Now will the SEC enforce against oracle? In this environment I highly doubt anyone at the SEC would have the appetite but I could be wrong.
So will any investors with standing choose to bring a civil action? Could well do it. There are for sure investors (eg Elliot) who in general would fight anyone at all if they thought they had a case. I don't know if there's anyone like that who had a position in Oracle specifically, but it wouldn't suprise me.
Presumably the requirements for public companies to disclose stuff and generally follow all kinds of rules were somehow for the health of the markets or something like that. I wonder how the markets will fare with the rules neutered.
To be fair, they're trending down at the moment, so maybe there was something there. But truly only time will tell.
they likely aren't under an obligation to tell investors about it immediately and simply putting something in their quarterly report about it will probably be fine.
That being said if they put something in some communication that said "we take security seriously" or something that would probably be grounds to sue as this obviously shows they aren't serious or something. The barriers to shareholder lawsuits for securities fraud are pretty low.
"An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing." (from https://www.sec.gov/newsroom/press-releases/2023-139)
If you are already a customer of Oracle, I can't imagine this matters to you. You did not choose Oracle because it was a good product and they are a good company. You are a customer of Oracle because there was a backroom executive deal with the Devil. No one is surprised or outraged or even has any choices.
As my buddy from Oracle likes to say, "No one cares what we do as long as the flow of streak, coke, and strippers doesn't stop."
He's a big Zed Shaw fan.
Anytime Oracle is brought up is a great time to repost the famous Lawnmower quote:
> "As you know people, as you learn about things, you realize that these generalizations we have are, virtually to a generalization, false. Well, except for this one, as it turns out. What you think of Oracle, is even truer than you think it is. There has been no entity in human history with less complexity or nuance to it than Oracle. And I gotta say, as someone who has seen that complexity for my entire life, it's very hard to get used to that idea. It's like, 'surely this is more complicated!' but it's like: Wow, this is really simple! This company is very straightforward, in its defense. This company is about one man, his alter-ego, and what he wants to inflict upon humanity -- that's it! ...Ship mediocrity, inflict misery, lie our asses off, screw our customers, and make a whole shitload of money. Yeah... you talk to Oracle, it's like, 'no, we don't fucking make dreams happen -- we make money!' ...You need to think of Larry Ellison the way you think of a lawnmower. You don't anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it'll chop it off, the end. You don't think 'oh, the lawnmower hates me' -- lawnmower doesn't give a shit about you, lawnmower can't hate you. Don't anthropomorphize the lawnmower. Don't fall into that trap about Oracle." - Bryan Cantril
7 replies →
what's "streak"? do you mean steak?
4 replies →
The problem is the people who have to use Oracle aren't the ones getting the steak or strippers.
1 reply →
"Oracle, where the Sun don't shine no more."
I’m sorry but I don’t get this Zed Shaw reference, what did I miss?
3 replies →
I use Oracle Cloud for my personal projects because of their generous free tier[1] which includes 4x Ampere A1 cores, 24 GB of RAM, and 10 TB of outbound data transfer per month.
I was ready to jump ship if they changed the terms, but I was not expecting a security incident.
[1]: https://www.oracle.com/cloud/free/
I was talking to a customer in a construction company that had its entire internal project management platform sold to Oracle. < This was why they couldnt manage their end of a large project.
Oracle futzed it, and after a complete roll of the construction firms board of directors, they were in negotiations to buy their own program back for twice the price.
I've started seeing ads for Oracle OCI in some podcasts I listen to so I think they are starting to see if they can attract customers outside of their "enterprise sales process".
I'm not sure who those ads are supposed to appeal to besides the podcasts hosts raking in the ad dollars.
I haven’t seen the ads, but Oracle Cloud is definitely the public cloud provider with the most generous free tier. That’s not to say you should use and trust them, but I can see why many would.
5 replies →
>”enterprise sales process”
I’m sorry, is Oracle known to be some super sleazy sales org that plys enterprise decision makers with strippers and cocktails, and drugs?
11 replies →
I imagine Larry Ellison gave this exact speech right after this incident became public.
If the tables were turned, Oracle would be taking advantage of the situation.
Take note.
This is honestly wild.
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
I'm guessing nobody chooses to work with Oracle anymore for reasons or in situations that we would consider reasonable. It's probably either governments contracts, with or without corruption, companies already locked in, contracts made by executives that don't really understand technology, that sort of thing.
I worked as a contractor for the Wisconsin state government and they had hundreds of Oracle databases that they were consolidating on the Oracle EXADATA11 servers. Insane having hardware that can only run Oracle but the Oracle DBA said that the Exadata was dozens of times faster than Oracle on VMware VMs.
4 replies →
Actually, it is mostly companies who are too reluctant to change. If it works, keep it as is, even if better technologies are the norm nowadays. Maybe this will help them move away from this obsolete Larry Ellison crapshot
3 replies →
> Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
I think you're coming at this from the wrong point of view. Oracle couldn't care in the slightest about what regular people think of them. Remember, they are the company that sent lawyers after the employers of folks who downloaded non-free but bundled by default extensions to VirtualBox, and the company that declared that you need to license every core their software could _potentially_ run on in your virtualisation estate (so if you have a 8 vCPU VM for some Oracle software, you need licenses for however many physical cores you have on your cluster). They've variously been described as a law firm with an engineering side business, and One Rich Asshole Called Larry Ellisson. Speaking of whom, he multiple times flat out lied on stage to make his shitty "cloud" nobody cares about seem relevant compared to AWS.
Nobody buys Oracle because they like them or their good reputation. You buy them because you have legacy stuff that depends on them and you have no choice (even Amazon took many years to get off Oracle databases, and they wrote a gloating success story one they were done with it because they were that happy to be rid of the leeches), or because your bosses' boss was convinced at a golf course they're getting a good deal. Or because their bandwidth is very cheap and you accept the risk of dealing with the devil incarnate with zero morals. (cf. Zoom).
Oracle is like Broadcom. Everyone hates their guts, everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
> everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
This is just your opinion. Most people I know who work there feel just fine if not very happy. Pay/benefits are good. Work is about same everywhere. In fact depending on group there maybe good, challenging technical work there.
As far as CV is concerned working there is mostly positive or at best neutral in term of job change.
> Nobody buys Oracle because they like them or their good reputation.
Oracle is quite expensive but they have reputation of solid database for enterprise workloads.
Also their cloud business is doing fine and growing and not irrelevant. One can see that from their quarterly results.
4 replies →
My wife is a hospital pharmacist. Cerner is a poular EMR system, is ~#2 in the market (behind Epic). These systems are ridiculously difficult to change between (everyone from your front-check-in desk to every surgeon who has privileges needs to be trained on how the new system works in addition to the technical problems with ETL'ing all your data over, and each hospital has an enormous amount of customization done to their workflows that has to be ported over to the new system)- she's done that twice at two different places and it was a huge, process, 18 months minimum. So these EMR's have an enormous amount of lock-in.
The punchline is, in 2022 Oracle purchased Cerner, renamed it Oracle Health, and started accelerating the process of enshittifying it. I have to tip my hat to them, it's like their BizDev team found a market segment that had as much lock-in as SQL databases do, and are now trying to replicate all the evil tricks they learned from that in another market segment. Because what are hospitals but giant bags of money to be drained so Larry Ellison can buy another yacht?
3 replies →
> everyone who worked there has a black mark on their CV
I hope this is hyperbole. Rank and file employees are not responsible for corporate policy or direction, especially in places like Oracle.
11 replies →
Security incidents have become so common place that the fact that they happen is not the newsworthy event; rather, its how a company responds to them that is the newsworthy event. And Oracle flunked this test
Note that it was an almost 4 year old already disclosed CVE which was used. Oracle messed up, big time. That's why they're trying to get rid of all incriminating evidence for potential lawsuits.
https://nvd.nist.gov/vuln/detail/cve-2021-35587
My guess is that admitting a security incident triggers lots of contractual clauses.
They have probably decided it's cheaper to simply deny the event (therefore not triggering those clauses).
If it gets to court, Oracle will find some expert who says there was no incident, and the other side will present clear evidence there was an incident, but the non-technical judge will probably still not be sure.
That's why in Europe there are strict laws regarding lax security of customer data and companies can be fined with a percentage of their turnover - which in the case of Oracle could hurt a bit.
There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
While that's true, many enterprise customers are going to have MSAs with notification requirements that have contractual punishments for failure to notify of material security incidents. Those are probably what Oracle is trying to avoid.
I believe enterprise customers are not going to care much unless it helps with lowering existing costs.
OTOH, Oracle as part of BSA can demand an audit so they will inflict / make up reason to also punish (i.e. licensing or pull support). The business could invoke an MSA punishment clause and win temporarily but it will cause a headache going forward (further demands from Oracle, higher costs etc.)
Either way, Oracle gets what they want.
2 replies →
I don't get your argument.
Wouldn't adding teeth to the state laws be the right thing to do?
It would help, but it'd be better for everyone if there was just one law to worry about which covered everyone (or at least set a minimum standard) rather than having 50 different versions of the same law all over the country each with their own definitions, thresholds, penalties, etc. It'd make things a lot less complicated for both companies and consumers, especially given how often a single company's data being exposed impacts people all over the nation.
1 reply →
We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.
I asked for an incident report and received this terse response:
> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.
Per article, Oracle has hastily rebranded the breached service as "Oracle Classic", for the sole purpose of being able to claim with a straight face that "Oracle Cloud" was not impacted.
FWIW, that doesn't appear to be a "hasty rebrand" - Oracle has had this distinction for a long time.
https://docs.oracle.com/en/cloud/saas/enterprise-performance...
1 reply →
That exact statement is quoted in the OP too.
Yeah, they've clearly been given some minimal company line and aren't deviating from it. Not going to win any trust.
> NetSuite will indemnify Customer up to an amount equal to five (5) times the equivalent of 12 months of license fees applicable at the time of the event, from and against any Losses incurred by Customer
https://www.sec.gov/Archives/edgar/data/1428669/000119312508...
Ah, another notch in the belt for Larry Elison's Oracle data security scandals.
Matches Larry's other political and societal scandals.
Tangential, but there’s an old interview with Ellison where he said that Amazon would never be able to get off of Oracle DB because it’s too critical a piece of software. This was in response to Amazon announcing it was something they had planned.
Amazon got it done ahead of schedule and there’s a video of them popping champagne to celebrate when they shut the last server down.
I’m not a big Amazon fan, but the enemy of my enemy is my friend.
Larry Ellison hasn't been CEO for over a decade.
This is a deliberate attempt to cover up their incompetence. It should be criminal to deceive the public and your _paying_ customers.
Executives need to go to jail. People need to be fired.
This won’t happen though, definitely not under this current administration.
Post-truth era is wild. But this seems like standard Oracle behavior for a while now.
Pretty on par for what I expect from Oracle. I'm surprised there's no corporate contracts involved yet.
The hacker is following a number of corporations. Is it an empty threat or a hint?
https://imgur.com/a/IsksRrZ
Neither. I would not read anything into a random hacker's twitter follow list.
Create a 'Wicki-hacks.com', like Wikipedia, where incidents are listed in detail - anonymously and indexed akin to Wikipedia with editors that create and verify an incident is such a way that Horacle etc can not deny or get it taken down
Oracle is notoriously stingy. They'd rather lose the data, pay a fine and deny it happened (settle), than own up for it.
The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently: - no passive network monitors showing an unknown IP/Mac/Location - no SOAR to kill off the attempts to gain a foothold/move laterally - no alerts on above or anything else in the SOC
Its times like this Oracle needs to lean on its good reputation and ask for forgiveness from the customers they've been loyal to for so long.
> Oracle needs to lean on its good reputation
It's what now?
Something tells me parent implied the /s.
> the customers they've been loyal to
...who?
I hear fines are up to thousands of dollars now..
tens*
The scary thing is that Oracle is able to take down items from Archive.org.
https://help.archive.org/help/how-do-i-request-to-remove-som...
https://news.ycombinator.com/item?id=43486945 related
how is that not securities fraud?
they are under legal obligation to tell investors about this sort of shit.
They are indeed under a legal obligation to disclose "material" cybersecurity incidents. For people who want to see the details, here's the SEC release https://www.sec.gov/newsroom/press-releases/2023-139
Now will the SEC enforce against oracle? In this environment I highly doubt anyone at the SEC would have the appetite but I could be wrong.
So will any investors with standing choose to bring a civil action? Could well do it. There are for sure investors (eg Elliot) who in general would fight anyone at all if they thought they had a case. I don't know if there's anyone like that who had a position in Oracle specifically, but it wouldn't suprise me.
The SEC no longer exists. The billionaires like Elison completely own the US government right now.
If no one enforces the law, it's not illegal.
Not to mention all of the data breach notification laws.
Welcome to the (most recent) era of deregulation. Get ready for all Fortune 500s to deny, deny, deny, and bribe.
Presumably the requirements for public companies to disclose stuff and generally follow all kinds of rules were somehow for the health of the markets or something like that. I wonder how the markets will fare with the rules neutered.
To be fair, they're trending down at the moment, so maybe there was something there. But truly only time will tell.
Crypto is a prime asset for bribing. Not for nothing the president has his own shit coin.
2 replies →
they likely aren't under an obligation to tell investors about it immediately and simply putting something in their quarterly report about it will probably be fine.
That being said if they put something in some communication that said "we take security seriously" or something that would probably be grounds to sue as this obviously shows they aren't serious or something. The barriers to shareholder lawsuits for securities fraud are pretty low.
The SEC says they have 4 business days
"An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing." (from https://www.sec.gov/newsroom/press-releases/2023-139)
Annnnd this is why Google bought Wiz huh.
[dead]