If the trend continues, 2023 will become another year of over 1,000 publicly reported data breaches. According to the IT Governance Blog (itgovernance.co.uk), this translates to over five billion compromised data records. The breaches number will undoubtedly continue in number and severity – reaffirming that cybersecurity is a pressing priority for business.
And while organizations are ramping up the robustness of their cybersecurity programs, the bad guys remain quicker and increasingly sophisticated. Consequently, we should not only be looking at putting stronger systems in place, but gleaning what we can from cyber attacks when they happen. There are valuable lessons to be learned – good and bad – from every event.
A striking case in point is Okta Inc.’s October 2023 data breach. Okta’s investigation revealed both the good and bad things about how a company responds to a cyber incident.
What they did right.
Transparency – Okta was up-front with customers, issuing a full disclosure of the event and the security issues found. They have continued that posture after their disclosure.
Responsibility – Okta fully acknowledged the impact on its customers. They admitted that mistakes were made, detailed what those mistakes were, and identified what corrective steps would be taken.
Action – Affected customers were quickly and directly notified. Okta also conducted a full root-cause analysis and published it.
What they did could have done better.
Initial Reaction – When Okta was first alerted to the event, internal reports and event triage indicates that teams deflected the issue back to the customer. This delayed appropriate responses and may have added to the severity of the breach.
One might be tempted to chalk this up to “human behavior” – a tendency to initially get a little defensive when presented with a problem, whether or not we’re responsible for the trouble. The valuable lesson here is that cyber events and other technology- related snafus are commonplace and on the rise. Organizations, then, should make comprehensive product ownership a cornerstone of their customer service mission. Even if something is technically “out of the company’s hands,” the forward-facing message to customers should be an unequivocal: “No worries, we’re on it.”
Delayed Response – Okta had an incident response team in place. But as a consequence of deflection and other delays, it is clear that the event was not immediately escalated to the internal IRT. As with every adverse cyber event, delay equals damage (and dollars).
Gap in Log Coverage – In order for cybersecurity teams to work effectively, they need to regularly and precisely review all that is being logged and alerted system-wide. The very logs that eventually revealed the intrusion were not included in Okta’s initial investigative process; in fact, those specific logs were not even considered as part of the security program. Two weeks passed before Okta finally discovered the source of the breach.
The lesson here: a robust cybersecurity program requires thinking like a cyber-criminal. That place where you might not be looking? That could be exactly where the bad guys will try to get in.
Where was Okta’s exposure found?
Upon closer investigation, Okta tied the unauthorized access to a service account stored within Okta’s own customer support system. Okta’s security team found that an employee had signed in to their personal Google profile on the Chrome browser of their Okta-managed laptop. That personal Google account contained the username and password of the employee’s service account, allowing the hackers a door into the company’s service account database. The employee’s service account was subsequently granted permissions to view and update customer support cases – which in turn exposed the customer records.
Okta had not fully considered the risks of this perfectly plausible scenario. If they had, they undoubtedly would have mandated blocking employees from signing in to personal account on Okta browsers – one of the remedies to this event.
The strategic revelation here is clear. When developing your organization’s cybersecurity program, it’s absolutely necessary to work through those “additional chess moves” which may lead to a potential vulnerability. What other mundane employee actions might put systems at risk and compromise an otherwise well-planned defense?
Conclusion
Okta’s response, while not perfect, was better than most for three major reasons:
(1) Okta Security was persistent. They kept digging until they found the logical cause of the breach.
(2) Okta quickly rectified the vulnerability and made appropriate changes to their systems, policies and procedures.
(3) Okta addressed the situation with customers in a straightforward manner. Customers got the reassurances and information they needed so that they were in a good position. to explain the situation to their own customers, boards, executive leadership and regulators.
At the end of the day, customer confidence in Okta and the security of their product was maintained. From a business standpoint, that’s everything you could ask for in the aftermath of an adverse cyber event.
See the report.
We highly recommend reviewing Okta’s own report at sec.okta.com/harfiles.
But wait. There’s more.
It has just been revealed that multiple agencies of the State of Maine were recently hacked by a Russian criminal enterprise. The breach was extensive – 1.37 million confidential records, including names, Social Security numbers, dates of birth, driver’s license/state ID numbers, taxpayer ID numbers, and certain medical and health insurance information.
Details are unfolding at the time of this writing. We will soon be updating this story in future blog posts, so stay tuned. You can follow the story at the Maine government site: maine.gov/moveit-global-data-security-incident.