Trust Is Everything: Unpacking The Recent Okta Event
It is a simple truth.
Customers buy from companies they trust.
In fact, in 2019, Edelman found that 67% of respondents agreed with the statement "a good reputation may get me to try a product, but unless I come to trust the company behind the product, I will soon stop buying it.”
And while security is a big contributor to customer trust, it is not the most important one – a fact that Okta discovered firsthand in the past few weeks.
For anyone that missed it, Okta suffered an attack in late January. At the time, Okta detected an attempt to compromise the account of a third-party customer support engineer. Within 24 hours (according to Okta's timeline), Okta security had terminated the user's sessions and suspended the account.
At the same time, Okta shared the attack data with the affected third party company (Sitel), who hired an outside forensic firm to analyze it. The forensic firm conducted its investigation from January 21 until March 10 when Sitel, and later Okta, were finally provided a report.
Five days later, the hacking group LAPSUS$ shared screenshots and messages mocking Okta's security. While Okta was quick to clarify that the screenshots were from the January attack on Sitel, customers had already panicked and started doing their own forensic analysis with many security professionals even publicly doubting Okta's statements.
In this case, Okta itself wasn't breached at all, but they still lost customer's trust (even temporarily) because they prioritized security over transparency.
They waited to inform affected customers until after LAPSUS$ was able to start, and lead, the narrative. Subsequently, Okta had to revise their own public statements, leading to more doubt and additional concern about what information wasn't being shared. And finally, they let more than a month pass before getting a report or update on the incident.
While Okta has now apologized and expressed regret for not notifying affected customers sooner, the damage was done.
In the end of the day, security is extremely important, but customers still value honesty and transparency most of all.