A hacking incident involving a cloud-based authentication service provider is riling investors who only recently learned of the breach.
It's also putting a new spotlight on regulatory requirements regarding how breaches are reported.
The incident involved improper access to client lists of Okta Inc., portions of which were posted as screenshots on the messaging app Telegram. A hacking group gained access to the lists through a compromised employee account at Sykes Enterprises Inc., a privately held contractor that provides customer service to Okta users.
Okta Chief Security Officer David Bradbury in a March 22 blog post acknowledged that the company received an alert about a potential breach in January, but said Sykes' parent Sitel Group just provided it with a full summary of the incident March 17.
"I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report," Bradbury wrote in the blog post.
When contacted by S&P Global Market Intelligence, an Okta spokesperson reiterated Bradbury's confirmation that up to 366 of Okta's customers were impacted by the breach, but said no corrective actions would be needed by those customers.
A spokesperson from Sykes told S&P Global Market Intelligence that the company enlisted a "worldwide cybersecurity leader" to conduct an immediate and comprehensive investigation into the breach.
"As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk," the spokesperson said, declining to comment on whether other companies aside from Okta were impacted by the breach.
Okta's delayed response did not sit well with some of its customers, including cloud-infrastructure and security provider Cloudflare Inc. The company's CEO said in a recent tweet that Cloudflare is evaluating alternatives to Okta.
A Cloudflare spokesperson told S&P Global Market Intelligence that there is no evidence that the company was compromised.
"Okta is merely an identity provider for Cloudflare," the spokesperson said. "Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a stand-alone option."
Amit Yoran, CEO of cybersecurity company Tenable Inc. and another client of Okta's, also expressed his frustration at the delay in confirming the breach.
"Two months is too long," Yoran wrote in a LinkedIn post. "This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis."
Raymond James analyst Adam Tindle downgraded Okta's stock to "market perform" from "strong buy," following the March disclosure, citing the company's handling of the security incident and the likely backlash from its customer base.
Okta's share price fell declined 17.19% from March 18 through March 24. The Nasdaq was up 2.14% in that period.
"The biggest lesson to be learned from this fallout is that cyberattacks need to be reported to customers immediately so they can take appropriate measures to protect themselves," said Garrett Bekker, principal research analyst in the information security channel at 451 Research. "It is no coincidence that we're seeing some action being taken right now from the White House towards more regulations requiring rapid disclosure by firms when they do get impacted."
The Okta breach also underscores the risks of companies relying on third-party firms to handle part of their operations, Bekker said.
"Part of the problem is that when outsourcing is so prevalent in companies it gets very hard for them to keep track of every aspect of their business," the analyst said. "There are some tools that will allow companies to audit their third-party relationships and have a better understanding of every firm they do business with downstream, but clearly they don't work every time."
The hacking group that hit Okta's contractor is also responsible for breaches at other large tech companies, including at
An NVIDIA spokesperson told S&P Global Market Intelligence that some of the company's proprietary information and employee credentials were stolen from its systems.
"Our team is working to analyze that information and we do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident," the spokesperson said.
More recently, the hacker group posted a file online that it claimed contains partial source code from Microsoft Corp.'s Bing and Cortana software.
"Our investigation found an account had been compromised, granting limited access," a Microsoft spokesperson said in an emailed statement. "Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity."
While the Microsoft hack, similar to the NVIDIA incident, involved the leaking of documents online, the hacker group had implied it had more, including potentially the ability to change the passwords of the company's clients. Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B, said the evidence to date suggests otherwise, however.
A U.K. teenager has been arrested in connection with the hacking group, according to the BBC.
Unit 221B had identified the boy in 2021 and was periodically tracking his crimes and reporting them to law enforcement, Nixon said.
451 Research is part of S&P Global Market Intelligence.