The irony of the following story of this damaging data breach cannot be ignored. But it can be learned from. External data privacy is the missing element to even the most well-regarded cyber security solutions.
In October of 2023, Okta, a leading provider of identity and access management (IAM) solutions was victimized by a data breach. IAM solutions are routinely employed by large enterprises and are regarded as a cornerstone of any cyber or information security practice.
Used to control who is authenticated and authorized to access secure data and resources, IAM systems are relied upon to provide highly secure and configurable access to employees in multiple, disparate locations globally, as well as to third-parties like partners, vendors, and mobile/remote users.
For a company whose entire business model is built atop the promise of keeping data systems secure from unauthorized access to be breached (especially as thoroughly as Okta was) is proof that no organization is safe from being victimized by data breaches – unless or until they address and neutralize the threat posed by unsecured external data privacy.
As is almost always the case with events of this nature, there is more than one vulnerability exploited by threat actors to successfully effectuate these attacks. In fact, there are often a number of failures within different areas of the victim organization’s overall InfoSec strategy which, combined, enable threat actors to achieve their criminal goals, and which make the follow-on consequences of the initial breach far worse over time. For an IAM company like Okta whose customer base is comprised of other leading providers of password encryption, trust management and other cybersecurity solutions providers, then damage rippled outwards causing serious problems for security downstream to organizations that are not even customers of Okta.
Shockingly, nearly all the enormous,
costly data breaches and cyberattacks examined by this series share one glaring commonality. It is a consideration all too frequently overlooked by even the most sophisticated InfoSec programs and one which, even in the aftermath of a catastrophic security breach, is still left inadequately addressed. The commonality threading through this and most other cybersecurity failures: inadequate External Data Privacy management or “EDP”.
THE VICTIM ORGANIZATION
Founded in by a pair of former Salesforce.com employees in 2009 as SaaSure, Okta as it is now known, is a San Francisco-based identity and access management company delivering cloud-based software solutions helping client organizations manage and secure user authentication into web and mobile applications. In 2015, the company raised $75 million in private equity from the venture capital firm Andreesen Horowitz led by the acknowledged godfather of the internet, Marc Andreesen. Other early investors included Silicon Valley VC leaders, Sequoia Capital and Greylock partners. The company went public in 2017 with an initial public offering on the Nasdaq (OKTA), reaching a valuation of more than $6 billion. In March 2021 Okta acquired Auth0 in a $6.5 billion deal. In 2023, Okta bought out security firm, Spera for $130 million.
Okta’s products are used by developers to build identity controls into applications, websites, web services and devices. Many leading cloud or Software as a Service (SaaS) products – serving all manner of industries with enterprise automation platforms for a broad array of business processes – were built with Okta technology. Its product portfolio encompasses ten products under the umbrella of IAM. These include solutions for Single-Sign-On, Universal Directory, API Access Management, Authentication, Advanced Server Access, Multi-Factor- Authentication, Access Gateway, Authentication and Lifecycle Management. These are all critical success factors for any security protocols built into web-based information systems.
Customers of Okta represent a veritable who’s who of organizations with high stakes requirements for cyber security. Industry-leading cloud and cyber security solution providers like 1Password, BeyondTrust and Cloudflare. Telecommunications companies such as Zoom and TMobile. Travel companies like JetBlue, Navan, MGM Resorts, Priceline, and Wyndham Hotels. Financial Services and Fintech giants like Ally Financial, Kiva, Experian and Nasdaq. Technology leaders such as Apple, Hewlett Packard. Media companies like Virgin Media, USA Today and even the FCC. Other industries served include CPG companies, manufacturing companies, healthcare, life sciences, construction and real estate, oil/gas/chemicals companies and retail firms.
Apps research and buyer resource site,
AppsRunTheWorld.com provides the following graphical representations of
the size and scope of Okta’s customer base by industry, size of customer by number of employees and also by revenue.
<Graphics and charts of Okta client by industry, size, and revenue omitted>
KNOWN FACTS OF THE ATTACKS
It was October of 2023 when Okta’s data systems were breached. Initially, Okta’s spokesperson reported that there was no unauthorized access to the company’s services or customer data resulting from the intrusion.
Their initial disclosure stated that hackers had gained access to customer support systems and had exfiltrated cookies and session tokens that had the potential to lead to compromise of customer accounts. According to their initial account, a mere 1% of the more than eighteen thousand customer organizations was impacted. However, Okta assured jittery customers that no names or emails had been compromised, that they had taken steps to secure their data, and that law enforcement had been notified.
The situation grew more ominous though when, after several months of review Okta’s Chief Security Officer, David Bradbury shared in a blog post that the threat actors had actually been able to run and download a secure report which contained the names and email addresses of
all Okta customer support system users.
Bradbury wrote, “All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system not accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident”. He added further comforting statements explaining that most of the fields in these reports are blank and do not contain user credentials or other sensitive personal data. And that for 99.6% of users included in the corrupted report, full names and email addresses were the only personally identifiable information included in the exposure.
Acknowledging that the risk was now larger than originally reported, Bradbury characterized the risk accurately writing in his post, “While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.” It is perhaps wishful thinking to suggest that this possibility was not being actively pursued by the threat actors who breached the system or to any of the myriad criminal enterprises to whom this data is likely to have been sold or shared.
Cybercriminals are most certainly using the data to launch phishing and social engineering attacks on the users affected. In a tacit admission of this reality, Okta recommended its customers employ MFA for their administrators and consider using phishing-resistant authenticators to further enhance their security.
INITIAL CONSEQUENCES
It is beyond debate that organizations will suffer deep and often lasting reputational damage in the wake of experiencing a breach. It follows naturally that a financial toll is also exacted as a result of being breached. In the case of Okta, both appear to be true. While there are a complex array of factors that exert influence over the stock price of a publicly traded company, the case could certainly be made that this breach played a significant role in generating the trough in the share price of OKTA.
<Chart of tanking stock price omitted>
OKTA had been trading in the $200 to $300/per share range for most of 2020 and 2021. The depth of the fall in share price to below the $100 level occurred at the same time as the initial breach was revealed in October 2023 and the stock’s value has remained in that range since then.
It is also worth noting that the downward trend in the share price seems to have begun in late 2021. Again, many factors are baked into the price of any company’s stock. However, there had been several, less consequential security incidents at Okta leading up to the massive October 2023 breach. On March 9, 2021, a hacker group called “Advanced Persistent Threat 69420” breached the network at an Okta office through a vulnerability in the company’s Verkada camera systems and was able to spy on security footage through this hole. Advanced Persistent Threat 69420 revealed they had gained root shell access to the broader network as a result of the camera hack.
Then again on March 22, 2022, the notorious hacker collective LAPSUS$ posted screenshots of internal Okta systems which Okta concluded were collected during a breach made via a computer used by a third-party vendor.
Read More About: External Data Security and Vendor Risk
December 2022 saw Okta’s source code stolen by a hacker who gained unauthorized access to Okta’s GitHub data stores.
Clearly, investors were not rushing for the exits en masse in the wake of these smaller and less egregious breaches. Nevertheless, as is often the case, small breaches lead to larger ones as the information stolen is leveraged by threat actors to mount and deploy further attacks. As the damage grows, so does the negative publicity and erosion of customer confidence. Ultimately, when the “big one” occurs, companies often suffer catastrophic financial consequences. In Okta’s case, this was manifested in a roughly 66% drop in shareholder value.
ATTACK VECTORS AND EDP MANAGEMENT
Culled from analysis of the Okta breach produced by IT management solutions provider
ManageEngine IT Security and IAM solution provider
Rezonate, the following methodology and timeline explains how this breach unfolded.
It seems that the intrusion was accomplished by exploiting .HAR files accessed through a seemingly inconsequential incident involving an Okta employee’s laptop. (
Rezonate does a great job explaining
what HAR files are as well as how – in detailed fashion – they were exploited in this instance.) Using a company-issued laptop, this Okta employee logged into their personal Google profile using the Google Chrome browser. The employee saved their Okta service authentication credentials in the browser of their personal account.
Analysts agree it was highly likely that the initial compromise occurred through a phishing or other social engineering technique aimed at accessing this employee’s personal account.
With the employee’s personal Google account compromised on the Okta-managed laptop, the threat actors were able to inject malware into the broader Okta system. The malware enabled attackers to access Okta’s support systems and exploit the HAR files submitted by Okta customers. The threat actors used this technique to uncover session tokens of Okta customers including other well-known cybersecurity providers such as 1Password, BeyondTrust, CloudFlare and others.
Having gained control over these admin accounts, the hackers sought to make deeper forays into the internal systems of these breached organizations. A sharp-eyed employee at 1Password alerted Okta to unusual activities though and alerted Okta. A few weeks later after a compromise alarm was raised by BeyondTrust, the misused service account was isolated as the problem.
The following is a synopsis of the timeline of the HAR file compromise and data exfiltration that occurred as a result of this breach of Okta systems.
September 29, 2023 – Okta client, 1Password reports suspicious activity to Okta security teams
October 2, 2023 – A second Okta client – BeyondTrust – reports suspicious activity to security teams
October 12, 2023 – A third Okta client makes a report of suspicious activity
October 13, 2023 – BeyondTrust shares an IP address (IOC) with Okta
October 16, 2023 – Okta isolates activities occurring within a service account associated with said suspicious IP address
October 17, 2023 – Initial steps taken by Okta to ameliorate the problem – Compromised service account is disabled and its sessions are revoked. Sessions embedded in HAR files downloaded by threat actor
October 18, 2023 – Okta Security notifies a fourth customer that their data has been compromised
October 19, 2023 – Additional threat actor activity is noticed and Okta revokes more sessions embedded in HAR files downloaded by the hackers
October 19, 2023 – This is also the day Okta announces to all customers that its security had been compromised
October 20, 2023 – The first blog post about the incident (referenced earlier in this paper) is released to the public
Late October through November 2023 – Deeper dive investigations uncover the full scope and broad consequences of the breach. Additional companies are informed and told they should adopt enhanced security measures
November 2023 – Okta releases more detailed information about the breach and confirms that more reports and support cases had been penetrated by the hackers including contact details for all Okta certified users across all customers.
December 2023 – Okta discloses the hackers had successfully downloaded reports including names and emails of all Okta customer support systems users. They warn the information would likely be used to mount phishing attacks.
LONGER TERM CONSEQUENCES
The long-term consequences of this particularly damaging breach will continue to unfold in the months and years to come. One of the most devastating ramifications of the exposure of so many names, emails, positions and employment data points is the ongoing use and utilization of this information to craft social engineering attacks on all of the organizations whose data was revealed in the initial breach.
According to research produced by University of California Los Angeles (UCLA), the human element was involved in 82% of all breaches analyzed over the last 12 months. There is projected to be one ransomware attack occurring every 11 seconds and by 2025, cybercrime is estimated to reach $10 trillion per year. All three of these statistics are largely enabled by the application of phishing strategies utilizing context clues gathered via the collection of stolen PII from breaches like the Okta breach. What makes Okta’s example more problematic than most is the fact that the data revealed is explicitly related to the cybersecurity practices and protocols of many of the InfoSec industry’s top players.
It is worth noting at this juncture that the names, emails and job roles of those compromised in the Okta attack are likely to be used in conjunction with other PII and specific details about would-be targets. This information is skillfully gleaned by threat actors from numerous sources of unsecured external data. Exploiting external data privacy weakness is the most effective method used by threat actors to craft super-convincing phishing and other social engineering attacks against highly targeted professionals and leaders withing target organizations.
It can be said with a high degree of certainty that threat actors are already building dossiers on the key individuals within the organizations they’re targeting. Using the data stolen from Okta as well as other stolen data and data lawfully obtained from unsecured sources such as public records, data broker companies, people search sites and unrestricted social media sites, detailed profiles are being devised and used to mount exceptionally specific phishing attacks. Further victimizing those who already suffered exposure in this breach and further threatening the health and survival of their respective organizations.
It remains to be seen if Okta’s share price and reputation will ever fully rebound from the damage it sustained as a result of this pernicious attack.
HOW EXTERNAL DATA PRIVACY MANAGEMENT COULD HAVE PREVENTED THIS ATTACK
In the aftermath of a breach like the Okta breach and the security-centric focus of its many customers/victims, affected individuals – personally and professionally – must now embrace proactive steps to prevent being the next target of threat actors. Even if your organization wasn’t one of the growing list of organizations impacted by the Okta breach (or its customers 1Password, BeyondTrust, and the rest) the chances are high that hackers using the data exposed by this attack will target you next. Although there is no way to fully eliminate the threat, the very best thing one can do to make oneself far less likely to be victimized again is to beef up external data privacy.
Avoiding social engineering attacks and the resulting data breaches depends on securing external data privacy. This means scrubbing the external data of all relevant employees (both internal and third party) from the many sources of PII available. Continuity of engagement when securing external data is the key to being able to quickly remediate any unauthorized data exfiltration. Getting ahead of the hackers and threat actors means removing identifiable information that can be used to generate phishing and other scams from hundreds of data brokers, people search sites and public data sources so that if and when these data are released, they are conspicuous and more quickly removed. Having such practices and processes in place may sound like an insurmountable task. But it is achievable, and it is truly the only way to protect against falling victim. Privacy Bee for Business is a leader in delivering EDP management solutions that are proven effective at reducing the digital attack surface and adding the necessary data privacy layer of protection atop the rest of the traditional information security practices already widely in use.
It is recommended that all organizations avail themselves of these easy to deploy scans and metrics to determine their existing level of vulnerability when it comes to EDP management.
Privacy Bee’s Employee Risk Management (ERM) is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.
ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.
Privacy Bee’s External Data Privacy Audit another web-based privacy app for quickly and easily scanning employees PII exposure. This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy Management.
The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.
Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems – including software providers and/or contract development resources. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks. It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance. Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company.
While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface. While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee. Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.
Putting EDP solutions like these in place does more to protect against being victimized by threat actors from the outset. And while they are useful as a restorative, to clean up the messes after a breach has occurred, it is best to deploy them from the outset so as to avoid becoming the next high-profile victim.
Speak with Privacy Bee to discuss the External Data Privacy Management at your company.
![AstroWithBeef[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439073-30fe3fb4ce08709922480d6366a32412.jpg?hash=MP4_tM4IcJ)
![Light[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439154-b9df311a1051924b41231b7a28f3f00a.jpg?hash=ud8xGhBRkk)
![Beach[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439204-086b000d89f6eec47375480d4885c6fd.jpg?hash=CGsADYn27s)
![AstroAway[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439226-88299f66b4801980a7ffccf15b06c6ee.jpg?hash=iCmfZrSAGY)
![Hills[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439297-a1e44c5d2c398f8306443ea60617eaa5.jpg?hash=oeRMXSw5j4)
![Mint[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439300-0dff8940b929b1b74f20b7ed86c8a0fd.jpg?hash=Df-JQLkpsb)
![CubesLight[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439322-e980de9aada51f61b9b6863c9ff77532.jpg?hash=6YDemq2lH2)
![Lava[a].jpg](http://uploads.kiwifarms.st/data/attachments/6439/6439473-4c19ea6b5cbc584b27bcdb27cfb4c4a8.jpg?hash=TBnqa1y8WE)
