Did you miss a session at the Data Summit? Watch On-Demand Here.
Okta’s decision to not disclose a January breach that may have impacted hundreds of customers — and the vendor’s choices about what details to share after the hacker group Lapsus$ revealed the incident — are continuing to receive debate in the cybersecurity community.
That’s leading some to ask questions about Okta’s future, such as: How much damage to reputation could Okta take from this? And will the prominent identity security company be able to fully recover?
Investors have already hit Okta hard, with the company’s shares now down 15% since the disclosure of the incident. But inside the security community, the opinions on Okta’s potential reputational impact vary widely.
Jake Williams, a well-known cybersecurity consultant and faculty member at IANS, wrote today on Twitter that based upon Okta’s handling of the Lapsus$ incident, “I honestly don’t know how Okta regains the trust of enterprise orgs.”
“I’m generally in the camp of ‘incidents happen, learn from them and move on, but heads don’t need to roll,’” Williams wrote. “Here I’m not so sure. There seem to be MULTIPLE breakdowns and without full transparency? Yikes.”
The comment was the conclusion to a thread of tweets in which he examined a number of elements of Okta’s communications choices about the incident. In particular, Williams noted the many questions that Okta, a prominent identity authentication and management vendor, has continued to leave unanswered about what happened.
“Please disclose the timeline and process by which Okta customers would have been notified if not for the Lapsus$ screenshots posted,” Williams wrote.
What Okta has said is that Lapsus$ accessed the laptop of a customer support engineer who worked for a third-party Okta support provider, Sitel, from January 16-21. The company said that 366 customers may have been impacted.
However, Okta did not disclose anything about the incident until Tuesday, and only then in response to Lapsus$ posting screenshots on Telegram as evidence of the breach.
Okta CSO David Bradbury seems to have pointed the finger at Sitel for the timing of the disclosure. In a blog post, Bradbury said he was “greatly disappointed” by how long it took for Okta to receive a report on the incident from Sitel, which had hired a cyber forensic firm to investigate. (Sitel declined to comment on that point.)
This messaging from Okta, however, “heavily implies” that the company “was powerless to investigate without Sitel’s report,” Williams wrote on Twitter.
“Given my experience in these things, I’m calling shenanigans,” he wrote. “If Okta wants to continue this narrative, they need to bring receipts.”
An ‘inconceivable’ scenario?
Ultimately, Williams said, it’s “inconceivable” that Okta knew one of its servicers was compromised, but “took no action in the interim.”
Okta did not immediately respond to a request for comment today, but on Wednesday declined to comment when asked by VentureBeat about the decision to not disclose the incident.
Williams is far from alone in suggesting that Okta erred by waiting so long to disclose a breach that may have impacted numerous customers.
“That [delay in disclosure] is why this is bad,” said Andras Cser, vice president and principal analyst for security and risk management at Forrester, in an interview on Wednesday. “It’s not because they got breached — that happens. The fact is that they did not make any sort of disclosure.”
At cybersecurity vendor Atmosec, cofounder and CTO Misha Seltzer says it’s clear to him that “Okta made a mistake by not disclosing the issue back in January.”
“Impacted customers deserve to know so that they can conduct their own investigations,” Seltzer said.
‘Too long’ to disclose?
At Tenable, a cybersecurity firm and Okta customer, CEO Amit Yoran said in a LinkedIn post on Wednesday that “two months is too long.”
In what he called an “Open Letter to Okta,” Yoran said that the vendor was not only slow to disclose the incident, but has made a series of other missteps in its communications, as well.
“When you were outed by LAPSUS$, you brushed off the incident and failed to provide literally any actionable information to customers,” Yoran wrote. “LAPSUS$ then called you out on your apparent misstatements. Only then do you determine and admit that 2.5% (hundreds) of customers’ security was compromised. And still actionable detail and recommendations are nonexistent.”
Ultimately, “trust is built on transparency and corporate responsibility, and demands both,” he wrote. “Even Mandiant was breached [in the SolarWinds attack]. But they had the fortitude and competence to provide as much detail as they could. And they remain one of the most trusted brands in security as a result.”
Committed to transparency?
Still, others in the cybersecurity industry have had a different appraisal of Okta’s handling of the incident and communications about it.
“Okta is doing exactly what a company that values security and customer success should do,” said Ronen Slavin, cofounder and CTO at software supply chain security firm Cycode. “They are communicating quickly and transparently.”
Slavin cited the fact that Okta CEO Todd McKinnon responded to the Lapsus$ screenshots on Twitter in the middle of the night (1:23 a.m. PST) on Tuesday.
“It shows that this issue was being handled at the highest possible level of the company. And it shows that the CEO was involved right away and personally wanted to provide transparency,” Slavin said.
Okta has also made it clear that “they believed this to be an isolated incident, and there was nothing to disclose,” he said.
“For them to believe that their service was not breached, and still note that 366 customers could have been impacted, is exactly the kind of transparency that all software companies should strive for,” Slavin said. “If Okta wasn’t committed to being transparent, why would they acknowledge the possibility of 366 customers being breached?”
Thus, on the question of whether Okta could take a longer-term hit to its reputation, Slavin said he doesn’t believe that would be warranted.
“I hope not,” he said. “Okta has a strong track record of transparency, with incidents dating back to Heartbleed and AWS outages. So Okta has earned the credibility for us to believe they are being transparent.”
Cser also said that even with the backlash from some over the incident, he doesn’t believe the incident will have a lasting effect on Okta’s reputation.
“I don’t think it’s going to harm them in the long term,” he said. “They will probably spend a ton of money on analytics, instrumentation, and end up with better security. I think they’ll just come out of it stronger.”
Demi Ben-Ari, cofounder and CTO at third-party security management firm Panorays, said it’s hard to tell at this point what the reputational outcome may be for Okta.
“Many large security companies have been breached and without lasting consequences in the aftermath,” he said. “The key is seeing how that business handles their responsibility to customers.”
For its part, Okta has emphasized that the potential impact on customers was limited because its own service was not breached, and only a single account, of one Sitel support engineer, was accessed.
“We take our responsibility to protect and secure customers’ information very seriously,” Bradbury said in a blog post. “We deeply apologize for the inconvenience and uncertainty this has caused.”