Dive Brief:
- The September cyberattack that exposed all of Okta's customer support system clients did not have a material impact on the company’s financial performance in the fiscal 2024 fourth quarter, which ended Jan. 31, executives said Wednesday. This was the first full quarter of operations for the business since the attack occurred.
- The attack against the identity and access management provider bore “minimal impact” on its financial performance, Okta CEO and Co-Founder Todd McKinnon said Wednesday on the company’s earnings call.
- Okta’s response to the attack, a companywide effort to reorient around security and make defense its top priority, slowed some parts of the business down but not in a significant way. “While not quantifiable, the event likely had some level of impact,” Okta CFO Brett Tighe said.
Dive Insight:
Okta is the latest company to show signs of buoyancy following a series of attacks that put customers at risk. Progress Software has consistently reported minimal business impact from the mass exploit of a zero day-vulnerability in its file-transfer service MOVEit, which ballooned into the largest, most significant cyberattack of 2023.
“The incident is now behind us but we're using the learnings to reassess and strengthen the security aspects of our own infrastructure, as well as help ensure customers benefit from our experience by further strengthening our products and policies,” McKinnon said.
Okta CSO David Bradbury detailed to Cybersecurity Dive on Monday what it will take for the company to regain the trust of its customers, as he previewed more than a dozen security enhancements Okta announced in tandem with its results Wednesday.
Okta pledged to harden its corporate infrastructure, embody secure-by-design principles across its products, champion best practices, and invest $50 million in a fund to address cybersecurity challenges outside the company over the next five years.
“As you might expect, security is our top priority as a company for fiscal year 2025. This covers everything from driving a company culture with a security-first mindset to our own security architecture, as well as our products and services,” McKinnon said during the earnings call.
Identity is a primary attack vector, linked to 85% of all attacks, according to McKinnon. Okta wants to be at the forefront of the fight against identity-based attacks through this ongoing initiative.
“Okta have found themselves choosing between being an identity company and being a security company,” James Maude, director of research at BeyondTrust, said via email.
BeyondTrust joined Cloudflare and 1Password in coming forward early as downstream victims of the attack against Okta’s support portal.
“We have already seen Okta make significant improvements to the security of their products since the recent breaches. However, the risk is that these features are not enabled by default,” Maude said.
“Looking to the future, the key for Okta will be to help customers help themselves by making things secure by default to ensure that customers aren’t an easy target for threat actors due to weak security configurations,” Maude said.
Okta ended the quarter with about 19,000 customers, including 150 net customer additions during the quarter. The company reported a quarterly net loss of $44 million on $605 million in revenue, which was up 19% year over year.
Okta has yet to report a quarterly profit since it went public in 2017, but the company’s full year losses narrowed from $815 million in fiscal 2023 to $335 million in fiscal 2024.