Okta, which markets itself as a “leading provider of identity” in the health care, public sector, energy, financial services, technology, travel and hospitality, and nonprofit industries, has notified some of its customers that data may have been accessed by cybercriminal group LAPSUS$. (Late breaking news—LAPSUS$ may be a teenager living in the U.K.). According to Okta, in late January it “detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors.” According to the forensic investigation, an attacker had access to the support engineer’s laptop for five days in January.

On March 22, 2022, LAPSUS$ posted screenshots of data that it allegedly exfiltrated from the support engineer’s laptop. According to Okta, it continues to investigate the incident and has “concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and already reached out directly by email.”

Okta has stated that “There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.” In addition, Okta has stated that its service “is fully operational, and there are no corrective actions our customers need to take.”

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.