Oracle Corp. has been hit with a proposed class action in Texas federal court alleging the tech company failed to protect customers' sensitive information from hackers who breached its network in July and then waited months before notifying those affected.

Using what's known as a zero-day exploit, or unknown software vulnerability, hackers on July 10 were able to weasel their way into Oracle's network, where the company stores "a litany of highly sensitive personal identifiable information" about customers and their employees, according to the complaint filed Monday by Patricia Eagan.

It's not known how long the hackers had access to Oracle's systems before the breach was discovered, which shows that the tech company didn't have the means to prevent, detect, stop or mitigate breaches, the suit states. The company's failure to maintain reasonable security measures and to adequately train its employees on cybersecurity put customers' data at risk, Eagan says.

"The exposure of one's [personal identifiable information] to cybercriminals is a bell that cannot be unrung," the suit states. "Before this data breach, [Oracle's] current and former enterprise customers' (and their current and former employees' and contractors') private information was exactly that — private."

"Not anymore," it adds. "Now, their private information is forever exposed and unsecure."

But Oracle didn't issued a security advisory about the breach until Oct. 4, according to a notice sent out by GlobalLogic Inc., one of the tech company's enterprise customers. GlobalLogic reported that its own investigation identified the earliest hacker activity occurred July 10, with the most recent activity on Aug. 20, according to the suit.

According to GlobalLogic's notice, the personal information exposed included data collected by human resources, such as addresses, phone numbers, birth dates, passport information, Social Security numbers and bank account information.

"The notice of data breach shows that [Oracle] cannot — or will not — determine the full scope of the data breach, as [Oracle] has been unable to determine precisely what information was stolen and when," the complaint states.

Eagan, a consultant contracted by GlobalLogic, is one of the potentially thousands of people whose personal information was exposed in the breach. She says she has had to spend a significant amount of time and effort monitoring her accounts to protect herself from identity theft.

With a record 3,158 data breaches occurring last year that exposed more than 1.3 trillion sensitive records, Oracle knew or should have known the risk of a data breach, according to the suit. And the company failed to follow the Federal Trade Commission's guidelines identifying the best data security practices, as well as industry standards including educating employees, using strong passwords and having multilayer security measures, the complaint argues.

Eagan wants to represent a nationwide class of individuals whose personal identifiable information was compromised in the data breach that impacted Oracle in July, as well as a California subclass.

The suit asserts claims for negligence, breach of implied contract, invasion of privacy, unjust enrichment, and violations of California's Unfair Competition Law, Consumer Privacy Act and Customer Records Act.

It seeks injunctive relief, as well as compensatory, exemplary, punitive and statutory damages, litigation costs, and attorney fees.

A representative for Oracle and counsel for Eagan did not immediately respond to requests for comment Wednesday evening.

Eagan is represented by Joe Kendall of Kendall Law Group PLLC and Samuel J. Strauss and Raina C. Borrelli of Strauss Borrelli PLLC.

Counsel information for Oracle was not immediately available.

The case is Patricia Eagan v. Oracle Corp., case number 1:25-cv-01805, in the U.S. District Court for the Western District of Texas.