Oracle Data Leak: Smoke without Fire? Togo & Kenya Enhance Security
02.04.2025

"The biggest supply chain hack of 2025" — contradictions behind alleged data theft from Oracle. African nations are actively pursuing information security. Kenya has published a draft cybersecurity strategy as part of its digital transformation process, and the Togo Data Commissioner has begun operations.

A major security incident supposedly occurred at the end of the first quarter, sparking heated debates and discussions. During the second half of March, a threat actor claimed to have breached Oracle's cloud infrastructure and stolen sensitive data. Preliminarily, an intruder had accessed 6 million records regarding 140,000 tenants. Company officials have denied any allegations of the incident, but security researchers say the evidence indicates otherwise.

The intruder claims to exfiltrate large trove of sensitive data including:

  • Single-sign-on (SSO) passwords
  • Encrypted LDAP passwords
  • Security certificates
  • Java KeyStore file
  • And other records.

The adversary claims that SSO and LDAP passwords can be decrypted. Thus, the leaked data can be used for authentication and security within Oracle Cloud services. Stolen records can be used by malicious actors to facilitate further supply chain attacks.

Oracle has stated that there are no security concerns regarding customer data exposure. In contrast, researchers advise paying attention to the potential threat. Yet, if the rumors are proven to be true, Oracle clients may need to change their passwords in order to protect themselves from potential attacks that could exploit disclosed credentials.

 Should the leak be verified, it will be the biggest supply chain threat of 2025, potentially affecting companies all over the globe.

As time goes on, the first consequences of the alleged data breach can be seen. On the 24th of March, the Cybersecurity Council of the UAE Government confirmed that the national cybersecurity systems have successfully repelled cyberattacks on governmental and business entities.

Dr. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government, said that 634 organizations in the UAE may be affected by Oracle’s breach. The Council urged all government and private institutions to bolster up their defenses, increase cyber readiness levels, and report any detected suspicious activity.

Meanwhile, African countries continue to develop legal frameworks, ensuring data protection. The Kenyan Ministry of Interior and National Administration has published the revised draft of the National Cybersecurity Strategy for 2025-2029. This strategy aims to enhance cyber resilience, implement a comprehensive approach to incident response, and protect critical infrastructure. Some key updates to the draft include the integration of AI, public-private collaboration, and advanced incident response measures.

The draft National Cybersecurity Strategy is a part of a broader Kenyan digital transformation initiative. In March 2025, the Ministry of ICT and the Digital Economy launched the National Artificial Intelligence (AI) Strategy 2025-2030. The project is backed by KES 152 billion (around $1 billion), approximately 0.8% of Kenyan GDP. More than half of the sum is planned to be spent on the construction of critical digital infrastructure, including a national computing cluster “AI cloud” and a national optic fiber backbone.

Data protection is a top priority for African countries as well. On the 28th of March, Togo’s Personal Data Protection Authority, IPDCP, officially launched activities with the start of an awareness-raising program. The Authority was established by Law No. 2019-014 on the Protection of Personal Data.

IPDCP starts its mission with a massive awareness campaign to improve citizens’ knowledge of their rights and mechanisms to protect against the misuse of their data. “Our mission is first to educate citizens about the protection of their personal data and privacy,” said Lieutenant-Colonel Bediani Béléi, the Head of the Personal Data Protection Authority. Furthermore, in the next step, IPDCP plans to ensure regulatory compliance. The Authority can enforce administrative sanctions for violations of the DPA Law, including withdrawal of authorization, fines, and criminal prosecution.

Togo achieved major successes in cybersecurity in the last years. According to the 2024 edition of the International Telecommunication Union Global Cybersecurity Index, the country scored 88.8 points out of 100.


A proactive approach to information security is essential. The disclosure of sensitive files can cause significant damage to a company. The integration of DCAP and DLP systems ensures reliable protection against internal threats and helps with regulatory compliance.If your company needs assistance navigating the complexity of laws and regulations, our Managed Security Service (MSS) can help. MSS ensures compliance with regulatory requirements and ensures implementation of comprehensive and advanced information security measures.

Start your free 30-day trial now and conduct a security audit in your organization today.


Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.