←back to thread

Oracle attempt to hide cybersecurity incident from customers?

(doublepulsar.com)
630 points 2bluesc | 1 comments | 31 Mar 25 15:11 UTC | HN request time: 0.199s | source
Show context
autoexec ◴[31 Mar 25 16:19 UTC] No.43536747[source]
There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
replies(2): >>43536832 #>>43541843 #
TrueDuality ◴[31 Mar 25 16:26 UTC] No.43536832[source]
While that's true, many enterprise customers are going to have MSAs with notification requirements that have contractual punishments for failure to notify of material security incidents. Those are probably what Oracle is trying to avoid.
replies(1): >>43536901 #
asciii ◴[31 Mar 25 16:32 UTC] No.43536901[source]
I believe enterprise customers are not going to care much unless it helps with lowering existing costs.

OTOH, Oracle as part of BSA can demand an audit so they will inflict / make up reason to also punish (i.e. licensing or pull support). The business could invoke an MSA punishment clause and win temporarily but it will cause a headache going forward (further demands from Oracle, higher costs etc.)

Either way, Oracle gets what they want.

replies(1): >>43537793 #
praptak ◴[31 Mar 25 17:56 UTC] No.43537793[source]
Unless the customer already wants to ditch Oracle.
replies(1): >>43537896 #
1. stackskipton ◴[31 Mar 25 18:06 UTC] No.43537896[source]
Very few companies want to business with Oracle (or IBM). Most are either stuck with either and costs of switching are too high for executive to greenlight.