Okta Breach - Don't outsource your business model

With the handling of the LAPSUS$ breach, Okta has shown how to not do security and communication. Three core learnings from #OktaBreach.

In March 2022, the hacker group LAPSUS$ claimed that they have gotten access to customers of Okta. Okta responded in multiple updated statements to the claims. Their response gives us insights into how they handle incidents.

From an outside naive view, I want to present what I think went wrong at Okta and how to fix it.

Don't outsource your core business model 🔗

Okta is selling a single sign on product. As such, security is a core part of the product they are selling.

Okta outsourced their customer support to a third party company. For customer support to reproduce issues and resolve them, they need access to the customer's data. Therefore, Okta not only outsourced customer support but also part of their security.

Hence, when an attempt occurred to add an additional multi-factor at the third party in January, they could not simply investigate within Okta. They needed to request a report and wait for it.

The issue here is not that the report arrived to late. Even if the report came back in a week, it is too slow of a reaction to a security incident. The full handling of a security incident must be happening within the company with fast reaction times. Especially if security is the companies business model.

Hence, don't outsource your core business model.

Don't publish wrong information 🔗

Okta's first response denied the claims to be true. While in an update they corrected that statement, such information shouldn't have been published in the first place if the investigation is still ongoing.

It's important to respond fast. But if there is no certainty, then it's better to communicate: "We don't have evidence of a breach. Investigations are still ongoing."

Especially in the B2B-Business, published information is cascaded. If a wrong statement is published, it is forwarded internally in the customer companies and its correction not only damages Okta's reputation but also the reputation of the security departments within the companies.

On the bright side, at least Okta published a correction.

But still, don't publish possibly wrong information if investigations are still ongoing.

Don't redirect the blame 🔗

In Okta's communication, the focus lied on talking the incident small, reassuring the customers and redirecting the blame to the third party. That doesn't help any customer that is possibly affected. It is focused on protecting Okta's assets, not the customers.

When blaming the third party and its long time to complete a report, Okta ignores that they are in charge of setting up the processes that lead to it. They fail to see that customers not only expect this one incident to be handled, but also upcoming incidents to be prevented by adjusting the processes.

While it's possible that Okta internally learns and externally attempts to protect their image, open and transparent communication has repeatedly shown to be better to protect an image.

Hence, don't redirect the blame, apologize and show how you prevent such incidents from occurring in the future.

Conclusion 🔗

Don't outsource your core business model. The processes around your core business model need to stay fast.

Don't publish wrong information. It's okay to say that you are still investigating.

Don't redirect the blame. You are in charge of setting up the processes.