Okta grew into a $25 billion company by promising customers it could verify that everyone granted access to their internal data was an authentic user. This week, those customers have lots of questions.
After initially downplaying the impact of the remote takeover of an internal account belonging to a contractor working for Okta, the company confirmed Tuesday night that the group behind the takeover was able to view the internal data of hundreds of customers. The incident occurred in January, but David Bradbury, Okta’s chief security officer, wrote in a blog post that Okta did not receive the forensic report from the contracting company until Tuesday morning, hours after the Lapsus$ hacker group posted screenshots of Okta’s internal IT systems to Twitter.
The contracted support engineer whose account was compromised was working for Sitel, a contact-center outsourcing company. “We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel,” Bradbury explained in the blog post.
“[W]hile the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session,” he wrote. Support engineers have “limited” access to Okta customer data, according to Bradbury, but he still called the incident “embarrassing.”
However, the length of time between the discovery of the incident in January and Tuesday’s disclosure could prove to be more embarrassing for Okta in the long run. Security incidents are somewhat inevitable, even at companies that offer security services, but enterprise customers are more forgiving of vendors that disclose incidents clearly and promptly.
“Executive teams massively over-prioritize legal risks when responding to major cybersecurity incidents,” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “Legal risks are rarely existential and focusing on paying slightly less in the inevitable shareholder settlement often creates an existential risk around customer trust.”