Regardless of precautions and incident plans, cyberattacks terrify c-suites. The recent identity-security firm Okta breach spotlights a common leadership response mistake — sacrificing customer trust for overestimated legal risk.
In January 2022, hacker group LAPSUS$ infiltrated an Okta contractor’s computer. Relying on its vendor’s initial forensics, Okta opted not to disclose the brief attack. The breach was eventually made public in March via a series of hacker posts.
Okta’s attempts to minimize that bad news soon escalated into a public relations nightmare, stock downgrades, senior leader apologies and a class-action lawsuit.
This cyber crisis spiral exemplifies why companies must proactively prioritize ‘what must go right’ customer trust imperatives over ‘what could go wrong’ legal fears.
The Okta case is neither complex nor surprising. Increasing reliance on service providers to address staffing needs and talent gaps also brings cybersecurity risk.
In Okta’s case, however, three key leadership shortcuts widened and worsened the breach toll:
- First, Okta did not oversee contractor devices used to access company systems and customer accounts. That limits cyber incident and exposure visibility.
- Next, when the hack occurred, Okta’s executives and IT security team hastily relied on the vendor-commissioned forensic investigation.
- Third, to downplay the alleged hackers’ postings, Okta CEO Todd McKinnon tersely tweeted that the “matter was investigated and contained by the [vendor]. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.” That vague Twitter response only invited questions and second-guessing.
Pressed to clarify the attack’s scope, David Bradbury, Okta chief security officer (CSO), added later that day that “after a thorough analysis, we have concluded that a small percentage of customers — approximately 2.5% have potentially been impacted and whose data may have been viewed or acted upon.”
That “small percentage” equated to over 260 customers. Upon that estimate, investment firm Raymond James downgraded Okta stock, noting, “While partners were willing to trust Okta’s track record, the handling of its latest security incident adds to our mounting concerns.” The company’s stock valuation fell nearly 11% overnight and its market cap declined approximately $6 billion within a week.*
Soon after, Okta publicly apologized for its slow customer notification, stating, “We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third-party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.”
Eventually, in late April, Okta disclosed that the final independent forensics investigation concluded that the hacker “accessed two active customer [files] and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions” in company databases.
With the data risk concerns apparently identified and contained, Okta CSO Bradbury separately acknowledged customer relationship impairment, “Beyond those potentially impacted organizations, we recognize how vital it is to take steps to rebuild trust within our broader customer base and ecosystem.”
Okta terminated its relationship with Sitel and now directly manages “all devices of third parties that access our customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact.”
Bradbury concluded that “while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations. Okta’s leadership team has met with thousands of customers over the past few weeks to talk through our response directly.”
That’s a lot of time and energy that the c-suite couldn’t and didn’t spend on strategy execution.
Additionally, a class-action lawsuit filed against Okta in May also names McKinnon, Bradbury and its current and two former CFOs as defendants. While most shareholder suits typically end with settlements, attorney meetings, discovery and depositions consume senior leader time and bear hefty legal fees.
Kevin LaCroix, EVP at management liability insurance intermediary RT ProExec, warned that the Okta case is “yet another lawsuit that underscores how [a] company handles bad news disclosures can significantly impact subsequent securities litigation. Allegations that the defendant company soft-pedaled bad news disclosure is frequent in securities lawsuits.” He reminds boards and c-suites that “despite plaintiffs’ poor track record in cybersecurity related D&O [director and officer] cases, plaintiffs’ lawyers remain interested in pursuing these suits.”
Agreeing with a probable settlement outcome, Alex Stamos, Stanford Internet Observatory director and former Facebook CISO, in a Twitter post, implored leaders not to miss the key Okta lesson, penning, “Executive teams massively over-prioritize legal risks when responding to major cybersecurity incidents. Legal risks are rarely existential and focusing on paying slightly less in the inevitable shareholder settlement often creates an existential risk around customer trust.”
Fear of the dark
Cyber incidents undoubtedly will happen — and subsequent response decisions only toughen as uncertainty and litigation pressure mount. Will the next c-suites facing cyberattack unknowns timidly repeat Okta’s stumbles or assertively carve smoother paths that prioritize customer trust? Time will tell, tell, tell…