Anatomy of a Breach

Anatomy of a Breach: Oracle Cloud and NYU — Cloud Breach Claims and 3 Million Applicant Records Exposed

> series: anatomy_of_a_breach —— part: 195 —— targets: oracle_cloud + nyu —— oracle: legacy_tenant_data —— nyu: 3,000,000_applicants_since_1989<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2025 12 min read
oracle-cloud nyu legacy-systems cloud-breach education applicant-data series
Breach #195

Oracle Cloud: legacy infrastructure claims. NYU: 3 million applicants since 1989. Legacy risk everywhere.

In March 2025, a threat actor posted claims of having breached Oracle Cloud's legacy infrastructure, allegedly accessing authentication data related to over 140,000 tenants. Oracle initially denied any breach of its current cloud services, but subsequent evidence — including data samples and customer notifications — suggested that legacy Oracle Cloud Classic systems may have been compromised. The incident highlighted the risk of legacy infrastructure within modern cloud providers — older systems maintained alongside current platforms that may not receive the same level of security attention.

Separately, on 22 March 2025, a hacker redirected New York University's website and published the personal information of over 3 million applicants dating back to 1989 — including names, test scores (SAT/ACT), GPAs, intended majors, demographic information, family backgrounds, and financial aid details. The 36-year span of the data demonstrated the extreme risk of long-term data accumulation without adequate retention policies. Both incidents reinforced that legacy systems and historical data hoards create attack surfaces that organisations consistently under-assess.

Legacy Risk
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Old cloud infrastructure. 36 years of applicant data. Legacy systems create legacy risk.

Cloud Legacy Infrastructure
Oracle's legacy Cloud Classic systems — maintained alongside current Oracle Cloud Infrastructure — may have been compromised while the current platform remained secure. Legacy components within cloud providers create risk that customers may not assess. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess which cloud services and infrastructure versions an organisation depends on.
36 Years of Accumulated Data
NYU held applicant data from 1989 — 36 years of accumulated records with no apparent data minimisation. Under GDPR, data must be retained only as long as necessary. <a href="/cyber-essentials">Cyber Essentials</a> addresses data retention. For UK <a href="/blog/sector-under-the-microscope-education">education institutions</a>, the NYU case is a direct warning about data accumulation.
Education Sector — Again
Following <a href="/blog/anatomy-of-a-breach-powerschool">PowerSchool</a> (January 2025, 62M students) and now NYU (March 2025, 3M applicants), the education sector was hit twice in three months — confirming its status as a consistently under-protected high-value target. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors education platforms.
Denial Followed by Confirmation
Oracle's initial denial, followed by evidence suggesting a compromise, echoed the <a href="/blog/anatomy-of-a-breach-att-73m">AT&T pattern</a> (2024): denial delays trust and compounds reputational damage. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response that includes honest, timely disclosure guidance.
Lessons

Audit your legacy systems. Minimise your data. Before someone else does it for you.

The Oracle and NYU incidents reinforced that legacy infrastructure and historical data accumulation create persistent risk. Cyber Essentials addresses secure configuration and data management. Our cloud reviews assess legacy cloud dependencies. Infrastructure testing identifies legacy system exposure. SOC in a Box monitors for compromise indicators across all systems — legacy and current. And UK Cyber Defence provides incident response when legacy systems are exploited.

Legacy Risk Assessment

Oracle's legacy cloud. NYU's 36-year data hoard. What legacy risk is hiding in your estate?

<a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> assess legacy dependencies. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> finds legacy exposure. <a href="/cyber-essentials">Cyber Essentials</a> mandates secure configuration.

Commission a Legacy Risk Assessment Next: Marks & Spencer
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2025

Anatomy of a Breach: PowerSchool — 62 Million Students' and Teachers' Records Stolen from North America's Largest Education Platform

Breach #193. In January 2025, PowerSchool — the largest cloud-based education software provider in North America, serving over 16,000 school districts and 50 million students — disclosed that attackers had accessed its Student Information System and stolen the personal data of approximately 62.5 million students and 9.5 million teachers. The stolen data included names, addresses, Social Security numbers, medical information, grades, and disciplinary records. PowerSchool paid a ransom to prevent the data's release. A 19-year-old college student later pleaded guilty to involvement. The breach demonstrated that education platforms holding children's data remain critically under-protected.

powerschool education
13 min read
Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
All Posts Get in Touch