Oracle BlueKai Exposes Billions of Web Tracking Records in Unsecured Database

Oracle’s BlueKai Data Management Platform exposed billions of records containing sensitive web tracking data through an unsecured cloud server discovered on June 19, 2020, in one of the largest data breaches of the year. The database, left accessible to the public internet without password protection or authentication, contained names, home addresses, email addresses, and detailed web browsing activity including purchases, newsletter subscriptions, and website visits across some of the world’s most popular websites.

The exposed database held billions of records tracking user behavior across the internet, with BlueKai monitoring approximately 1.2% of all global web traffic. The tracking data encompassed activity from major websites including Amazon, ESPN, Forbes, Glassdoor, Healthline, MSN.com, Levi’s, Rotten Tomatoes, and The New York Times, among many others. Upon discovery by security researchers and notification by TechCrunch, Oracle secured the exposed servers, but billions of records had already been left open to unauthorized access for an unknown period.

The data breach exposed fundamental security failures in Oracle’s handling of massive consumer surveillance data collected through BlueKai’s tracking infrastructure. The unsecured database demonstrated that Oracle—a company trusted with top-secret government intelligence data and CIA cloud contracts—failed to implement basic security measures to protect billions of records of commercial surveillance data on internet users worldwide. The breach revealed the identities and detailed behavioral profiles of countless individuals who had never consented to BlueKai’s tracking or Oracle’s data collection.

This data breach occurred during a critical period for Oracle’s government contracting business. Just five months earlier, in January 2020, Oracle had completed its $7.4 billion Sun Microsystems acquisition, and the company was positioning for major intelligence community contracts. Five months after this breach, in November 2020, Oracle would be awarded a position on the CIA’s multibillion-dollar Commercial Cloud Enterprise (C2E) contract. The juxtaposition of Oracle’s massive commercial data breach and its simultaneous pursuit of top-secret intelligence contracts raised serious questions about whether a company that couldn’t secure its own commercial databases should be trusted with the nation’s most sensitive classified information.

The BlueKai breach exemplified the dangers of surveillance capitalism and concentrated data collection, where companies amass billions of records on individuals’ online behavior without meaningful consent or security safeguards. The incident foreshadowed the 2022 class action lawsuit alleging Oracle operated a “worldwide surveillance machine,” providing concrete evidence of Oracle’s massive data collection operations and the company’s failure to protect the sensitive information it collected on billions of internet users.