Okta Could See Hit To Its Reputation After Second Major Breach In Two Years: Analysts

Wall Street analysts say that the data breach in Okta’s support case management system could hurt sentiment among customers, with memories of the 2022 Lapsus$ incident still fresh.


Identity security firm Okta could see damage to its business in connection with the uncovering of the second major breach impacting Okta customer data in two years, according to Wall Street analysts.

The breach to Okta’s support case management system, which impacted data belonging to an unknown number of customers, follows the 2022 incident that saw the hacker group Lapsus$ obtain Okta customer data through breaching a third-party support provider.

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

Sponsored post

Okta’s stock price was down 8.4 percent to $69.20 a share as of this writing Monday morning. That decline follows the 11.6 percent drop that Okta shares saw on Friday after the disclosure of the breach.

In a note to investors Monday, which was seen by CRN, Evercore ISI’s Peter Levine wrote that “although we hope that the [management] has taken lessons from the [2022] incident, initial reports about last week’s breach are not necessarily portraying OKTA in a favorable manner.”

For instance, as reported by outlets including CRN Friday, “a customer reported raising concerns of a breach to OKTA on Oct 2nd and having received no acknowledgement from OKTA, it wasn’t until Oct 19th that they were notified,” Levine wrote.

The reference was to a post Friday in which cybersecurity vendor BeyondTrust said it discovered the breach, was among the impacted customers and notified Okta on Oct. 2 about the incident. However, Okta did not acknowledge the breach for more than two weeks, according to BeyondTrust.

Okta publicly disclosed the breach Friday, emphasizing that the support system is separate from the company’s identity service, which “is fully operational and has not been impacted.”

As with the Lapsus$ breach in 2022, “customers likely now know the leverage they have to negotiate discounts and are likely prepared to use it,” Levine wrote.

Ultimately, the incident will “most likely” have a near-term impact on Okta’s pipelines, “potentially forcing a downward revision to FY24 estimates and jeopardizing consensus estimates for FY25,” he wrote.

In a note reported by Seeking Alpha, a Citi analyst similarly cited a “negative impact on sentiment from the pattern of cyber breaches OKTA has experienced in the last 18+ months.”

There is now a “potential for reputational risk affecting new pipeline development,” Citi’s Fatima Boolani wrote in the note, according to the report.

CRN has reached out to Okta for comment.

Cloudflare Also Detected Earlier

In his note Monday, Levine also referenced the fact that another Okta customer, Cloudflare, has said it first notified Okta about the breach, rather than the other way around.

“We detected this activity internally more than 24 hours before we were notified of the breach by Okta,” a team from Cloudflare said in a blog post.

The number of impacted customers or types of data that may have been viewed has not been disclosed by Okta.

Journalist Brian Krebs reported Friday that he was told by Okta that a “very small subset” of its 18,000 customers were impacted.

In the BeyondTrust post, the company said that in the weeks following its Oct. 2 notification to Okta, and with “no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta.” Then on Oct. 19, “Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers,” BeyondTrust said.

Okta hasn’t provided its own timeline for the breach. In response to an inquiry by CRN, Okta said in a statement Friday that it “recently” notified customers about the incident.

Lapsus$ Incident

In 2022, Okta suffered reputational damage as a result of not disclosing the breach of its third-party support provider, Sitel. The attack occurred in January 2022, but Okta did not disclose the breach until after Lapsus$ had posted on Telegram about the incident in March 2022.

While initially thought that the threat actor may have accessed data from hundreds of customers, the company subsequently said an investigation found that only two Okta customers were impacted.

Still, Okta co-founder and CEO Todd McKinnon later said in an interview that it was a misstep to not disclose that there was an incident sooner.

“If that happens in January, customers can’t be finding out about it in March,” McKinnon said in May 2022.

In the Okta post Friday, Chief Security Officer David Bradbury said that a stolen credential was used by an attacker to gain “unauthorized access” to the support system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury wrote.

In its statement to CRN Friday, Okta said it has “notified impacted customers and taken measures to protect all our customers.”

In the Cloudflare blog post, the company said that “we urge Okta to consider implementing the following best practices” — the first of which is to “take any report of compromise seriously and act immediately to limit damage.”

Okta should also “provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them” and require the use of hardware authntication keys “to protect all systems, including third-party support providers.”

“For a critical security service provider like Okta, we believe following these best practices is table stakes,” Cloudflare said.