Each week we take a look at the most recent events and trends related to data security and privacy. This week’s episode takes inspiration from one of my favorite scenes in Star Wars: The Empire Strikes Back. After pursuing Luke Skywalker, Han Solo and Princess Leia…and failing to capture them…the commanding officer of an Imperial Star Destroyer volunteers to tell Darth Vader the bad news. The next time we see the officer, he is crumbling to the floor as Lord Vader walks away…muttering the title of this week’s discussion – Apology accepted, Captain Needa.

Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on Twitter: twitter.com/IDTheftCenter

Show Transcript

Apology Accepted, Captain Needa

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 1, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. This week’s episode takes inspiration from one of our favorite scenes in Star Wars: The Empire Strikes Back. After pursuing Luke Skywalker, Han Solo and Princess Leia (and failing to capture them) the commanding officer of an Imperial Star Destroyer volunteers to tell Darth Vader the bad news. The next time we see the officer, he is crumbling to the floor as Lord Vader walks away, muttering the title of this week’s discussion – “Apology accepted, Captain Needa.” This week we will discuss the handling of the Okta data breach event.

Okta Data Breach Investigation

This week, one of the leading companies in what is known as the identification and access management market started the week denying reports they had been breached. Okta is a publicly-traded company that offers products to secure the login process for companies to ensure only people with proper credentials or authority can access certain kinds of information or systems.

A notorious ransomware gang, Lapsus$, posted screenshots from January that claimed to show the criminal group had gained access to multiple Okta customers. Initially, the company downplayed the reports of an Okta data breach and that they were linked to an event in January.

However, as the week wore on, Okta changed their story. First, Okta acknowledged an attack but claimed no systems were breached. Then, the story shifted to, well, one client system may have been breached – followed by an admission that the Okta data breach may have impacted 366 client systems. That’s less than three (3) percent of Okta’s customer base.

Finally, by mid-week, the CEO of Okta offered a full-throated apology for not taking the event seriously and acting quickly enough. There was also a lot of finger-pointing in the course of the week during the Okta data breach investigation that saw Okta’s stock price drop 15 percent. 

Takeaways from the Okta Data Breach Event

What are the takeaways from the Okta data breach event, which most likely did not put consumer information at risk?

  1. No one wants to be poor Captain Needa shuffling off to tell Darth Vader the rebels have escaped. In this scenario, no corporate executive wants to tell shareholders, regulators, employees or customers they failed to protect their systems as intended. It’s a natural reaction to want to avoid needlessly alarming their stakeholders.
  2. Still, when it comes to cybersecurity and cyberattacks, transparency is vital – but often in short supply. Okta eventually confessed to their shortcomings, but their attempts to minimize the severity of the cyberattack delayed the inevitable. The result of the Okta data breach was a controversy (and a hit to their reputation, as well as finances) that could have been avoided. Owning a problem, no matter how painful, is always better than trying to avoid the issue.
  3. For any business, this is a great reminder that your weakest cybersecurity link may not be you. Rather, it could be a vendor or a vendor’s vendor. Systems and data repositories are so intertwined that it’s often difficult to tell where one system ends, and the other begins. That requires everyone in the supply chain to meet the same or similar standards for data protection.

Utah Governor Signs New State Privacy Law

We have one last note from a previous episode. The governor of Utah has signed a new state privacy law that will go into effect at the end of 2023. Utah is now the fourth state, along with California, Virginia and Colorado, to have a comprehensive data and security law. However, Utah’s law does not directly address cybersecurity like the other three states.

Contact the ITRC

If you want to learn more about protecting your personal or business information, or if you think you have been the victim of an identity crime or compromise, visit our new website at our old web address www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to the latest episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.