Following a trend in directors and officers litigation involving cybersecurity firms, Okta Inc. now faces a securities class action lawsuit alleging the firm made false and misleading statements, including that it did not disclose and then downplayed the severity of a data breach earlier this year.
According to the federal lawsuit filed May 20 in the Northern District of California against Okta and its directors, shareholder City of Miami Fire fighters’ and Police Officers’ Retirement Trust seek to recover damages “caused by defendants’ violations of federal securities laws” under the Securities and Exchange Act of 1934. After hacking group Lapsus$ on March 22 posted screenshots it claimed was of Okta’s internal environment, the firm’s share price fell about 1.8 percent and then it dropped another 10.7 percent once news of the data breach was published and Okta was downgraded by Raymond James, according to the lawsuit.
“Plaintiff and other class members have suffered significant losses and damages,” the lawsuit said.
Initially, Okta CEO Todd McKinnon posted to Twitter on March 22 and said that Okta “detected an attempt to compromise the account of the third-party support engineer working for one of our subprocessors” in January but that “there is no evidence of ongoing malicious activity.” Later on March 22, David Bradbury, chief security officer, posted an after-market hours statement on the company’s website to add that about 2.5 percent of customers “have potentially been impacted and whose data may have been viewed or acted upon.”
Okta terminated its relationship with the third-party vendor, Sitel Group, according to a statement posted by Bradbury on April 19. He added that, “As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022.”
In a FAQ, Okta said of its failure to alert customers in January: “We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible.
“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third-party forensic firm to investigate,” Okta continued.
“At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
There have been an increasing number of securities claims and other D&O lawsuits filed against cybersecurity companies following cyber incidents, according to Kevin LaCroix, an attorney and executive vice president at RT ProExec, as well as author of the D&O Diary blog. LaCroix said plaintiffs have for the most part not been successful in cybersecurity related D&O suits, but “plaintiffs’ lawyers still remain interested in pursuing these kinds of suits.”