Okta’s Fearful Cyber Response Worse Than Hackers’ Peek—How 3 Tempting Tech Crisis Shortcuts Cost More

Regardless of precautions and incident plans, cyberattacks terrify C-suites. The recent identity-security firm Okta breach spotlights a common leadership response mistake — sacrificing customer trust for overestimated legal risk.

In January 2022, hacker group LAPSUS$ infiltrated an Okta contractor’s computer. Relying on its vendor’s initial forensics, Okta opted not to disclose the brief attack. The breach was eventually made public in March via a series of hacker posts.

Okta’s attempts to minimize that bad news soon escalated into a public relations nightmare, stock downgrades, senior leader apologies and a class-action lawsuit.

This cyber crisis spiral exemplifies why companies must proactively prioritize ‘what must go right’ customer trust imperatives over ‘what could go wrong’ legal fears.

Far reach

The Okta case is neither complex nor surprising. Increasing reliance on service providers to address staffing needs and talent gaps also brings cybersecurity risk.

In Okta’s case, however, three key leadership shortcuts widened and worsened the breach toll:

  • First, Okta did not oversee contractor devices used to access company systems and customer accounts. That limits cyber incident and exposure visibility.
  • Next, when the hack occurred, Okta’s executives and IT security team hastily relied on the vendor-commissioned forensic investigation.
  • Third, to downplay the alleged hackers’ postings, Okta CEO Todd McKinnon tersely tweeted that the “matter was investigated and contained by the [vendor]. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.” That vague Twitter response only invited questions and second-guessing.

Pressed to clarify the attack’s scope, David Bradbury, Okta chief security officer (CSO), added later that day that “after a thorough analysis, we have concluded that a small percentage of customers — approximately 2.5% have potentially been impacted and whose data may have been viewed or acted upon.”

That “small percentage” equated to over 260 customers. Upon that estimate, investment firm Raymond James downgraded Okta stock,…