Oracle’s waterfront campus in Austin. The Austin-based tech giant is facing a possible class action lawsuit over data breaches this year.
Ricardo Brazziell/Ricardo B. Brazziell / American-
Oracle Corp., the Austin-based tech giant, is facing a potential class-action lawsuit over multiple data breaches this year impacting millions of people.
A federal judge in Austin is currently considering whether to combine the more than 30 cases into one, with a decision on that possible early in the new year. A decision on the class action could come within a year.
Article continues below this ad
The lawsuits stem from at least two data breaches of the Oracle E-Business Suite in July and August by the cybercriminal group Cl0p. The Russian-speaking cybercriminal organization is known for mass ransomware attacks using previously unknown security gaps known as Zero-day exploits.
READ NEXT: TikTok signs deal to form new U.S. unit with investors including Oracle, Silver Lake
Cl0p began large-scale extortion attempts in October, emailing dozens of companies and demanding payment to prevent the sale of sensitive data it had stolen. Social Security numbers, dates of birth, physical addresses and other personal information were harvested from servers using Oracle’s software, the suits say.
Oracle’s E-Business Suite is used by thousands of companies, nonprofits and education outlets. Customers range from the University of Pennsylvania and Washington Post to Mazda Motor Corp. and Estée Lauder Cos. Inc.
Article continues below this ad
The cybercriminals claim to have nabbed data from more than 100 organizations. The University of Phoenix has said an estimated 3.5 million people were affected. According to court records, though, “the precise number of persons injured is unclear.”
In an email to the companies that’s cited in court documents, the hacking group said, “Regrettably for your company, this analysis shows that estimated financial losses, harm to reputation, and regulatory fines are likely to materially exceed the amount claimed.”
Companies using the business suite are also being sued in what one plaintiff’s attorney at a recent federal court hearing called a “hub and spoke case,” with Oracle as the hub to the corporate users of its software as spokes. The list of co-defendants includes Humana Inc., Canon Inc., Envoy Air, Cox Enterprises, Integra LifeSciences, GlobalLogic and several others.
READ NEXT: What is Conduent? 4 million Texans impacted by one of biggest data breaches in US history
Article continues below this ad
Many of the victims were present or past employees of the companies. Attorneys said in court documents the victims are now vulnerable to identity theft, monetary losses and emotional distress.
At a Dec. 19 video hearing, the number of attorneys representing the dozens of victims and those defending the dozens of co-defendant companies that all the faces didn’t fit on one screen and began with a five-minute roll call of all the attorneys.
Oracle did not respond to a request for comment. It has not opposed consolidating the cases in court filings.
It’s accused of negligence, breach of implied contract, invasion of privacy and unjust enrichment among violations. The 30-plus lawsuits vary and all their allegations won’t be clear until U.S. Magistrate Judge Susan Hightower decides whether they will be consolidated into one. Additional cases are still being filed, with attorneys at a recent hearing suggesting the total number could increase by as many as 25.
Hightower is expected to decide whether the cases will be consolidated within the next two months.
Article continues below this ad
After that, it wouldn’t be considered a class-action lawsuit until after discovery is conducted and the judge confirms that a class of people exists with similar claims that can be represented by fewer plaintiffs. Certification of a class often increases the numbers represented and could mean more potential damages for Oracle and its co-defendants.
Attorneys have argued that the breaches are evidence of the company’s negligence and “careless acts.”
It’s one of two mass breaches for which Oracle has been facing lawsuits this year. It was also sued in federal court in Missouri over a January data breach dealing with personal health information being leaked.
READ NEXT: Texas Attorney General announces investigation into Chinese AI company DeepSeek
Article continues below this ad
In addition to violations alleged in the lawsuits, Oracle has not complied with the Texas Data Breach Act, according to court records. The law requires businesses that suffer a breach affecting more than 250 Texans to report it to the state within 30 days and to affected individuals within 60 days. Penalties for violating the act include as much as $50,000 per violation along with attorneys, court and other investigative fees, according to the Attorney General’s Office.
As of Tuesday, Oracle does not appear on the public data security breach report maintained by the attorney general. At least five co-defendants in the federal lawsuits have reported breaches to the state since October, though, listing nearly 60,000 Texans receiving notifications of their data being obtained without their knowledge.
Class-action lawsuits over data breaches can drag on for years and have steep pricetags. Equifax settled for $1.5 billion in 2017 for a data breach exposing 150 million people’s data. Meta, which owns Facebook and Instagram, paid $725 million to settle data privacy violation allegations when it sold as many as 87 million users data to British political consulting group Cambridge Analytica. That data was used to target political ads in favor of Donald Trump. Cambridge Analytica ceased operation in 2018. While the settlement sounds large, the volume of plaintiffs resulted in users receiving around $30 per person.
Article continues below this ad