Back to all articles
Okta's Costly Cyber Security Failures: A $60 Million Lesson in Transparency
By Stan Vick

Okta's Costly Cyber Security Failures: A $60 Million Lesson in Transparency

●  In January 2022, Okta experienced a data security breach, but it took the company two months to reveal the full extent of the incident's impact.

●  When Okta finally disclosed the details, management downplayed both the severity of the breach and the company's inadequate security measures. They also failed to address the revenue losses caused by the incident.

●  Despite Okta’s initial denials about the data breach, the company’s CEO later acknowledged the incident via Twitter, leading to an 11% decline in the stock price.

●  On May 20, 2022, a shareholder lawsuit was filed by a group of investors to seek compensation from the company.

●  The company has agreed to pay $60 million to affected shareholders to settle this lawsuit. Affected investors can now file a claim to receive the payment.

Overview

Okta Inc. (OKTA) faced a data breach in early 2022 and a group of hackers obtained sensitive customer data. However, Okta did not disclose the details of the incident on time. When the management finally decided to reveal the extent of this breach to the public, there was a lack of transparency regarding the depth of this issue and the company's security measures. Following these events, in May 2022, a group of shareholders sued Okta for providing misleading statements, negligence, and omissions. On July 19, 2024, nearly two years later, Okta agreed to pay $60 million to affected shareholders to settle this lawsuit.

Okta Has Itself to Blame for The Investor Backlash

The roots of the scandal, which eventually led to the lawsuit, trace back to Okta’s acquisition and integration of Auth0. In May 2021, Okta acquired Auth0, Inc. for $6.5 billion. Auth0 is a company that provides customer identity and access management software. Following the acquisition of Auth0, the business integration of the two companies faced a major blow as there were severe difficulties in combining both sales divisions. Not long after the acquisition, several senior leaders from Auth0 and Okta left the company too, affecting the business. This turnover affected Okta’s operations, however, the management avoided disclosing these issues to investors, potentially keeping investors in the dark about the challenges Okta faced following this multi-billion-dollar transaction.

Source: Investor presentation

Amid these challenges, Okta faced a data security incident in January 2022. Okta allegedly failed to secure its administrative tools, particularly the "SuperUser tool", which allowed access to customer data without proper vetting or security measures. Employees without formal training could reportedly access customer data even with their home laptops. 

Additionally, Okta failed to enforce its "Zero Trust" security standards on third-party vendors, leading to critical vulnerabilities exploited by hackers from the group LAPSUS$ in January 2022. 

LAPSUS$ posted the following message on their Telegram channel, confirming they have access to Okta’s systems. One such screenshot posted by LAPSUS$ revealed that they had access to the Cloudflare tenant with the ability to even reset employee passwords, which highlights the gravity of the data breach.

Source: Bleeping Computer

Initially, Okta denied the news, stating that the service had not been breached and remained fully operational while a third party made an “unsuccessful attempt” to breach the systems. However, Okta’s attempts to minimize that bad news soon escalated into a public relations nightmare, leading to stock downgrades, senior management apologies, and a class action lawsuit after the company publicly accepted the data breach on Twitter on March 22, 2022, more than two months after the breach occurred.

Source: X

The company faced severe consequences following CEO Todd McKinnon's Twitter post. Not long after, CSO David Bradbury reported in an official statement that around 2.5% of the customers might have been affected by the breach. These events deteriorated investor trust in Okta, eventually leading to an 11% decline in stock price on March 23, 2022. These events eventually wiped off $6 billion from the company’s market value within just a week of the company’s acknowledgment of the data breach.

In light of these developments, Raymond James downgraded Okta and wrote in a note to clients:

"While partners were willing to trust Okta’s track record, the handling of its latest security incident adds to our mounting concerns."

The situation worsened in May 2022 when a group of shareholders sued Okta, accusing the company of failing to share details about the security breach. They also claimed Okta didn’t take enough steps to prevent the breach and delayed revealing it while downplaying its vulnerabilities.

Then, in October 2023, Okta experienced another data breach on its customer support system, causing the stock to fall by 12%. The breach was made through a stolen credential, which enabled hackers to log into the support case management system. The following month, the management stated that the attackers stole information about all users from the support system, including client names and email addresses. Even though there is no direct evidence of misuse of the stolen information, Okta asked customers to be cautioned, stating that such data could be perilous in facilitating phishing and social engineering attempts.

Amid these security threats and litigation issues, Okta stock has declined 35% in the last 5 years despite its revenue increasing substantially from just $399 million in 2019 to $2.26 billion in 2023. 

Resolving The Case

Okta has agreed to pay $60 million to settle claims related to the security breach and shareholder lawsuit. If you invested in Okta in 2022, you may be eligible to claim part of the settlement to recover some of your losses.

The settlement and the broader security breach issues underscore the serious legal and financial risks of not prioritizing transparency and cybersecurity, as Kevin LaCroix from RT ProExec noted. For top management, the lawsuit sends a clear message: legal challenges can be handled, but restoring lost trust is a much tougher battle.

Y-mAbs' Omburtamab Failure: The Critical Turning Point of 2022

Y-mAbs' Omburtamab Failure: The Critical Turning Point of 2022

Emergent’s Vaccine Production Failure: Contamination Scandal, Investor Backlash, and $40M Settlement

Emergent’s Vaccine Production Failure: Contamination Scandal, Investor Backlash, and $40M Settlement

High Stakes and Higher Scandals: Inside Wynn Resorts’ Legal and Ethical Crisis

High Stakes and Higher Scandals: Inside Wynn Resorts’ Legal and Ethical Crisis