Insiders said Oracle told staff that criminals had exploited flaws in its software, the same ones patched back in July. Customers who skipped the update are now discovering just how expensive that oversight can be.

Oracle’s chief security officer Rob Duhart confirmed the outfit was “aware” that some users had received extortion emails and urged them to apply the latest security updates.

Security outfit Halcyon, which is helping victims, said hackers sent emails to executives claiming to have breached Oracle’s business suite, which runs everything from finance to supply chain management. In at least one case, the ransom note demanded as much as $50 million (€46 million),

The attackers say they are affiliated with Cl0p, a ransomware mob well known for locking files and demanding cash for deletion. In 2023, the US Cybersecurity and Infrastructure Security Agency branded Cl0p “one of the largest phishing and malspam distributors worldwide” and estimated it had hit more than 3,000 organisations in the US and 8,000 worldwide.

One source said the flaws were part of Oracle’s critical patch update advisory from July, which warned customers to update E-Business Suite. Clearly, plenty ignored the memo, and Cl0p has moved fast to monetise their laziness.