Ars Technica Okta Writeup

Following up on the Okta breach and disclosure issues I mentioned the other day, on Friday Okta published a follow up article on their security blog Unauthorized Access to Okta’s Support Case Management System: Root Cause and Remediation. Pretty stark difference to me in how Cloudflare handled a post mortem, and how Okta did with this response. Granted, they aren’t exactly the same scenario, but this is also not the first time Okta has been completely tone deaf in their response. After their first half assed response, several security researchers called them out on how poor of a response it was. You would think Okta would take the opportunity in creating their detailed response to maybe address some of the complaints about how tone deaf their response was. Well… Not really.

Ars Technica published a post about the detailed response, excoriating Okta for essentially now blaming one employee for the issue.

Accessing personal accounts at a company like Okta has long been known to be a huge no-no. And if that prohibition wasn’t clear to some before, it should be now. The employee almost surely violated company policy, and it wouldn’t be surprising if the offense led to the employee’s firing.

However, it would be wrong for anyone to conclude that employee misconduct was the cause of the breach. It wasn’t. The fault, instead, lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured.

This is all completely true. You can absolutely block logging in to personal accounts entirely, not to mention block the password saving feature. Given the sensitivity of what Okta does, this is completely on the leadership team, not on that employee. It probably will not be the senior leadership that pays the price though.

Given the similarities to the January 2022 breach, outlined in this Cloudflare Blog post, it’s hard to believe Okta has learned it’s lesson here. Their support system is clearly a huge vulnerability, and it does not seem like they treated the situation appropriately, and from the outside it’s hard to believe they have taken many (if any) steps to correct the issue going forward. It’s hard to assume otherwise when this happens more than once, and there is almost no transparency in either case. What’s worse, in both cases we found out about the situation first from someone other than Okta.

Okta needs to get their head out of their ass on this stuff. As a security company, particularly one that is so crucial to so many customer’s security stacks, they NEED to do better. They should be a gold standard in the industry, and no one should ever have to question whether they are doing everything they can to keep customers safe. That should be table stakes for a leading security company. They have a great product, but none of that matters if people can’t trust them, and they are making it harder and harder to trust them.

Here’s a link to the Ars Technica article - https://arstechnica.com/?p=1981227

I want to also point out that there was another Ars Technica article this week titled Okta hit by another breach, this one stealing employee data from 3rd-party vendor. I don’t think the title is fair on this. Okta wasn’t breached in this case as far as everything I’ve been able to find, it was a 3rd party company that Okta works with to handle internal employee data. I don’t think this constitutes as “Okta hit by another breach”. While technically not false, I think it’s fairly misleading.

That said, there are some important things from this that have similarities. In the article, Ars links to a copy of the letter sent to employees -

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” a letter sent to affected Okta employees stated. “We have no evidence to suggest that your personal information has been misused against you.”

What does that even mean? Of course it will be used against employees. This reeks of a legal team saying and doing the bare minimum they can, while vaguely patting themselves on the back, but essentially saying “Sorry, nothing we are going to do about it”. It’s hard to know how much, if anything, Okta itself could have done to prevent this from happening. All of that information is likely needed by the healthcare provider, and the healthcare provider clearly did not have good security in place to have this happen, but this was an opportunity for Okta to actually try to help their employees, and they instead chose to just cover their own legal asses.

Later in the letter they say -

What We Are Doing. Okta regularly reviews and updates the measures it takes to protect your personal information. While we have no evidence that your personal information has been misused, as an added precaution, we are making available to you access to 24 months of complementary credit monitoring, identity restoration, and fraud detection services, through a product called IdentityWorks, offered by Experian.

More boiler plate “cover your ass” bullshit clearly from a lawyer. This is just the go-to canned response from most data breaches any more, and it honestly pisses me off. Experian, and frankly all of the credit bureaus, are essentially rackets, and they are all honestly some of the worst companies in the world. I have some personal reasons that I may write about at some point about why I personally hate them so much, but I don’t think anyone has to imagine too hard, and no one is a big fan of any of them. Regardless, their “credit monitoring, identity restoration, etc…” services are completely useless. I’ve gotten this for “free” a few times due to breaches and other scenarios and they are bait-and-switch services that just try to loop you in to paying them for it long term, and it does not really solve anything. If I were one of the employees impacted by this, I’d be really irritated by this being offered as the solution.

Okta should realize that all of this personal information leaking will be used for spear phishing employees to try to gain access to their systems. Hackers just gained access to a bunch of sensitive information about employees of the company which can now be used for extortion or false familiarity campaigns when attacking Okta employees, which loops back in to the previous article and discussion. But I guess next time it happens again, Okta can just blame the employee again…