What the Hack? Recent Notable Data Breaches

Written By Katerina Kramarchyk

Earlier this month, we saw two major cybersecurity incidents that sent ripples across the enterprise software world, and underscore just how exposed even large, well-resourced enterprises can be. Downstream risks from third-party dependencies remain a potent (and often overlooked) source of cyber risk for startups, scale-ups and small- and medium-sized businesses. Let’s dig into what happened, why it matters and practical steps businesses can take now to safeguard their data. 

Skip to the bottom for business tips.

Ransomware Campaign Against Oracle E-Business Suite

In late September, Google’s Threat Intelligence Group noticed suspicious activity on Oracle’s E-Business Suite (EBS) systems. Specifically, they discovered evidence that the attacker(s) exploited a zero-day vulnerability (a security hole that a vendor does not know about, so there are zero days to fix it before exploitation), allowing unauthenticated access to critical components of Oracle’s system. In other words, the attacker could run any code they wanted on a company’s Oracle server (1) from the internet, and (2) without logging in first. This is a huge deal. These attacks can be used to steal or destroy data quickly and quietly. And, since no login is required, even basic security measures (such as strong passwords or firewalls) are not helpful

On October 3, 2025, Oracle released a statement confirming that its EBS customers received extortion emails claiming data theft. 

Why the Oracle Exploit Matters

Oracle EBS is used by many huge companies with critical systems. Therefore, a breach for one EBS customer may result in ripple risks for their suppliers, partners, and integrations. 

While one exploited vulnerability was a zero-day, some others may have been known vulnerabilities patched in Oracle’s July 2025 Critical Patch Update (CPU). Oracle recently pushed an emergency patch update, but the exploit code had already been circulated publicly. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that similar vulnerabilities continue to be abused for ransomware distribution across public and private systems. This underscores the importance of applying all CPUs when available; patch discipline should be a non-negotiable practice for businesses, and automated when possible. 

Salesforce Data Breach Claim

On October 3, 2025, Reuters reported that a cybercriminal group called “Scattered LAPSUS$ Hunters” (a group formed from members of the Scattered Spider, LAPSUS$, and ShinyHunters hack crews) claimed to have exfiltrated “almost one billion” records from Salesforce. Hackers appear not to have targeted Salesforce’s core systems, but rather, targeted compromised integrations and third-party apps like Drift and Salesloft using vishing (voice phishing) and OAuth token use to obtain access to customers’ Salesforce environments. 

Impacted companies included Qantas, Toyota and Disney. 

The hackers also launched a data-leak site listing companies that were allegedly impacted, and demanding ransoms by October 10 to avoid full publication of stolen data.

Salesforce released a statement clarifying that there was “no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” And, while they are not wrong (because hackers did target user vulnerabilities rather than system vulnerabilities), the incident triggered regulators worldwide to examine how platform ecosystems handle aggregated risk and third-party authentication flows. 

Why the Salesforce Customer Exploit Matters

This breach is a good reminder for SaaS providers and businesses to consider secure integrations in risk modeling. Limiting API scopes, rotating authorization tokens, and conducting third-party access reviews can prevent attackers from turning partners into vulnerabilities. Even if a vendor claims they are secure, your internal integration and operation discipline matter in the event, like here, attackers bypass the vendor entirely. 

Security Reminders for Businesses

These cyber incidents are a sobering reminder for SMBs using SaaS platforms to engage in proactive data systems hygiene to prevent breaches. Here are some things businesses can do to feel a little more secure against situations like these: 

  • Patch early and often: have a dedicated person (or team) subscribed to vendor security feeds to learn about any new updates or security threats, and automate updates for critical systems. Having a dedicated security champion responsible for patch checking increases buy-in, and likelihood of compliance. Proactively check for patches on a regular basis, in case automated updates were not triggered for any reason.

  • Audit integrations regularly: whether quarterly or twice a year, integrations are critical vulnerability junctures. Audits should document which services access your data (e.g., third-party apps and SaaS integrations), and ensure that integrations are operating on least-privilege permissions (i.e., they are given the minimum amount of authority required to carry out their essential functions). 

  • Vet SaaS vendors: ask vendors about patching cadence, past incidents, and how they handle downstream risk. These risks can be managed by incorporating SLA terms  about breach notifications, and downstream impact scenarios.

  • Train employees: employees are a business’s last line of defense to sensitive data. They must be able to recognize phishing and vishing attempts, particularly those mimicking IT or vendor support. Training is critical, and should be more than online modules that employees can speed through. Test emails and calls should be deployed to test training efficacy, with follow-up training for non-passing employees. 

  • Integrations should be limited and policy-driven: help-desk and IT support should follow strict verification and safety protocols prior to installing new or additional integrations, and changing access rights. 

  • Use data minimization principles to protect data: the less data a business holds, the less data can be stolen. By using the principle of least data (only collecting and/or storing data that is mission critical to business operations), loss will be limited in the event of a breach.

  • Monitor unusual data flows: this may include bulk data exports, large file transfers, and unusual connections to the internet. 

  • Create an incident response plan: develop and test incident response playbooks that include data restoration techniques and communication protocols. Remember that small businesses and startups are not too small to target. If anything, smaller businesses are easier to target as they typically have less robust data security systems in place. Businesses of all sizes will benefit from having an incident response plan that defines how breaches will be detected and contained, and when notifications must be given in the event of a breach. Data privacy counsel can assist in preparing plans and policies in line with these needs.

Conclusion

These hacks serve as a reminder that companies are only as secure as their weakest links. Whether that link is an unpatched vulnerability in a vendor’s enterprise systems, or an employee that clicks on a malicious link (see also, yesterday’s post on CometJacking) or falls victim to a phone or email impersonation. Companies are reminded to audit their cyber hygiene on a regular basis, and patch often.

Katerina Kramarchyk
Previous

Taking AdTech & Marketing Compliance Lessons from AppLovin Investigation
Next

CometJacking: Is Your Browser a Security Vulnerability?