back to article Okta data breach dilemma dwarfs earlier estimates

Okta has admitted that the number of customers affected by its October customer support system data breach is far greater than previously thought. Chief security officer David Bradbury originally said earlier this month that according to the company's root cause analysis, the files of just 134 Okta customers – less than 1 …

  1. Roland6 Silver badge

    It can only be a matter of time before one of the major cloud providers has to announce an extensive compromise of customer accounts…

    1. Version 1.0 Silver badge
      Black Helicopters

      These days the internet and our privacy is cloudy ... A Cloudy world is not a problem (you're right, it's only a matter of time) until we see a thunderstorm with a few inches of rain rolling towards us ...

      1. spireite Silver badge

        Trouble is, it'll be a flood...

  2. aerogems Silver badge
    Mushroom

    Seems like it's time to go back to the main questions of the Watergate era. What did Okta know, and when did they know it? It seems difficult to believe that they're only just now figuring all this out, and more likely they are sitting on plenty more, which they'll only reveal if they're somehow forced to. Wouldn't surprise me in the least if this latest disclosure was intended to head off any lawsuits from affected customers.

    Anyway, that all said, since the place I worked at recently used Okta, it's just one more reason why I'm glad I'm not there anymore.

    1. Anonymous Coward
      Anonymous Coward

      One of the troubling after-effects of these incidents is indeed the erosion of trust from their customers and the public at-large.

      The obvious first-order cause is the incident or breach itself -- it naturally gives customers, whether directly affected or not, a reason to question the competency of the company.

      But anyone who has been around tech for a while knows that failures are all but inevitable. Network, hardware, software, application, security, and so on, all suffer from the possibility. So we can understand and even commiserate to some extent.

      However, the companies' handling of the crisis is another matter. Anything less than prompt full disclosure usually makes things worse, especially over the long term. How many times have we seen companies react to some problem like this progression:

      "Nothing happened, business as usual."

      "Sometimes has happened, but we found it early, there was no impact."

      "We have notified the very few customers who might have been impacted, nothing to worry about."

      "Everyone should download the new version, restore from trusted backups, and change all passwords immediately."

      Even if some companies really are working (struggling?) to discover and triage the full impact of whatever failure or breakdown or breach happened, it feels like others are just covering up instead, presumably in hopes of avoiding the financial hit -- stock price, market share, insurance claims, lawsuits etc.

      Customers, industry observers, analysts, and the media question whether the company is withholding information, and if the company would have said anything at all if the breach hadn't been exposed. People extrapolate (accurately or otherwise) that the failure is worse than reported, often leading to more reputational damage to the company.

      You can't defuse a bomb after it has already gone off.

      Companies probably figure they can ride it out well enough if they at least create the appearance of dealing with the incident, wait for the headlines and google search results to move on to other things, then back to business as usual. The strategy, if you can call it that, is usually effective; after all, how many customers are really prepared to make a full switch to another cloud provider, security company, hardware platform, etc.

  3. Anonymous Coward
    Anonymous Coward

    Oktagone

    A previous employer went full-Okta. Laptops, IT systems, mail, messaging, facilities, all cloud systems, ... everything. An Okta failure would be a disaster recovery scenario with a few people manually re-adding standard accounts, one host, one user at a time. This was weeks after a couple of minor Okta outages and an Okta hack that compromised systems.

    Shareholders have no idea just how fragile their cloud investments are.

    1. ecofeco Silver badge

      Re: Oktagone

      Well played for the title alone.

      Well played!

      1. spireite Silver badge
        Coat

        Re: Oktagone

        Surely, they have another press releases/breaches to go....

  4. t245t Silver badge
  5. Doctor Syntax Silver badge

    From what I understand of their services the only reason you'd use that sort of service would be because you believe the supplier is better at access security than you are.

    1. spireite Silver badge
      Mushroom

      For the same reason that companies have gone from on-prem to cloud, attracted by the shine green pastures proclaiming.....

      1. We're cheaper than on-prem

      2. We'll manage all services for you

      and the implied special promise....

      3. You don't need to hire security admins/DBAs/etc....

      and Bullys special prize.... (this seems apt - https://www.youtube.com/watch?v=YIOhWbLcVqg)

      4. WE ARE SECURE

      All of the above were to us whitebeards.... FALSE!!

      I haven't seen one place I've worked at where cloud even came close to the on-prem and related costs - it literally has been magnitudes more expensive.

      Everywhere I've been got rid of DBAs, Security admins, etc... then within 3 months realised they'd been sold a dummy, but already committed to a 'saver' aka 'reserved' plan of 2 years plus. At this point, they rehired the knowledge they'd lost and practically tripled the annual expense by the end of it.

  6. ecofeco Silver badge

    So...

    How's that cloud thing working for ya?

  7. Omnipresent Bronze badge

    The Usual

    The crazy part is, a lot of us knew this news would come when they announced the original breach, and were waiting for the rest of the announcement. Trying to mitigate the damage by spreading out the news over as long a period of time as possible has become par for the course.

    It's ALWAYS worse than you're told. The cloud has compromised everyone in a way only AI could rival.

    1. OhForF' Silver badge

      Re: The Usual

      Waiting for the other shoe to drop is an ancient tradition older than IT (not to mention new fangled things like AI or cloud).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like