• In January 2022, Okta experienced a data security breach, but it took the company two months to reveal the full extent of the incident’s impact.
• When Okta finally disclosed the details, management downplayed both the severity of the breach and the company’s inadequate security measures. They also failed to address the revenue losses caused by the incident.
• Despite Okta's initial denials about the data breach, the company's CEO later acknowledged the incident via Twitter, leading to an 11% decline in the stock price.
• On May 20, 2022, a shareholder lawsuit was filed by a group of investors to seek compensation from the company.
• The company has agreed to pay $60 million to affected shareholders to settle this lawsuit. Affected investors can now file a claim to receive the payment.

Okta Inc. (NASDAQ:OKTA) faced a data breach in early 2022 and a group of hackers obtained sensitive customer data. However, Okta did not disclose the details of the incident on time. When the management finally decided to reveal the extent of this breach to the public, there was a lack of transparency regarding the depth of this issue and the company’s security measures. Following these events, in May 2022, a group of shareholders sued Okta for providing misleading statements, negligence, and omissions. On July 19, 2024, nearly two years later, Okta agreed to pay $60 million to affected shareholders to settle this lawsuit.

The roots of the scandal, which eventually led to the lawsuit, trace back to Okta's acquisition and integration of Auth0. In May 2021, Okta acquired Auth0, Inc. for $6.5 billion. Auth0 is a company that provides customer identity and access management software. Following the acquisition of Auth0, the business integration of the two companies faced a major blow as there were severe difficulties in combining both sales divisions. Not long after the acquisition, several senior leaders from Auth0 and Okta left the company too, affecting the business. This turnover affected Okta's operations, however, the management avoided disclosing these issues to investors, potentially keeping investors in the dark about the challenges Okta faced following this multi-billion-dollar transaction.

Initially, Okta denied the news, stating that the service had not been breached and remained fully operational while a third party made an "unsuccessful attempt" to breach the systems. However, Okta's attempts to minimize that bad news soon escalated into a public relations nightmare, leading to stock downgrades, senior management apologies, and a class action lawsuit after the company publicly accepted the data breach on Twitter on March 22, 2022, more than two months after the breach occurred.

The company faced severe consequences following CEO Todd McKinnon’s Twitter post. Not long after, CSO David Bradbury reported in an official statement that around 2.5% of the customers might have been affected by the breach. These events deteriorated investor trust in Okta, eventually leading to an 11% decline in stock price on March 23, 2022. These events eventually wiped off $6 billion from the company's market value within just a week of the company's acknowledgment of the data breach.

Then, in October 2023, Okta experienced another data breach on its customer support system, causing the stock to fall by 12%. The breach was made through a stolen credential, which enabled hackers to log into the support case management system. The following month, the management stated that the attackers stole information about all users from the support system, including client names and email addresses. Even though there is no direct evidence of misuse of the stolen information, Okta asked customers to be cautioned, stating that such data could be perilous in facilitating phishing and social engineering attempts.

The settlement and the broader security breach issues underscore the serious legal and financial risks of not prioritizing transparency and cybersecurity, as Kevin LaCroix from RT ProExec noted. For top management, the lawsuit sends a clear message: legal challenges can be handled, but restoring lost trust is a much tougher battle.