Shame on you, @arstechnica ... You clearly worded the title of this clickbait article to make it seem as if Okta was breached again, when in fact that isn't true at all here.
The BS title: "Okta hit by another breach, this one stealing employee data from 3rd-party vendor"
Titling it "Okta hit by another breach..." is misleading, when the reality is Rightway was the one "hit by a breach"... Okta was indirectly impacted by the breach, and in a way that affects nobody but their employees.
You knew this wasn't appropriate wording for the title, but you chose to capitalize on current events for clicks.
Okta wasn't even the only Rightway customer affected by the breach, so where's your article for every other company "hit by a breach" they had nothing to do with?
Throwing shade, you wrote:
Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.
This 3rd party breach only affected Okta employees -- who else do they owe a disclosure to? This only affects them! IMHO, the only one that owes anyone a disclosure here is Rightway.
I am as big a critic of Okta's breach history as anyone, but needlessly kicking them while they're down feels unethical. Do better.
Edited: to reflect the entire title, which is only 50% clickbait BS.
@eric_capuano Ugh, I've been complaining of this exact thing thing morning from all of the big security news people. Why is nobody calling this a breach of Rightway Healthcare? Why do we care that Okta specifically had data leaked from it, what about all of the other companies and employees of those companies that are also impacted here? Where is comment from Rightway on this?
@jawnsy I'm probably not the best person to ask... I usually get mine through RSS feeds from everywhere and just extract the useful bits from each article without putting much stock in any particular source.
> This 3rd party breach only affected Okta employees -- who else do they owe a disclosure to? This only affects them!
While this is also true, such 3rd party breaches might impose a risk to the Okta customers as well. It depends on what kind of information the Rightway breach leaked.
And since Okta already has been in under fire with their fairly recent breach, it's needed to not go too easy on Okta. How was the Rightway breach done? Was Okta using their own authentication service with Rightway? Was all needed security policies applied in Rightway from Okta's side? (That would tell something about the security attitude at Okta.) ... and there's lot of questions to be asked in that scope between Okta and Rightway.
While I don't like the misleading click-bait title Ars used in this case .... I also don't think it would be fair to only focus on Rightway. That said, the article itself is pretty slim on details and lacking more context on the relation between Rightway and Okta. And it certainly point a bit too quickly at the prior Okta breaches; which would be particularly silly if Okta actually has done their homework properly with their Rightway setup.
@dazo@arstechnica@dangoodin I partially agree with you, but your points are mostly speculative and not worthy of a journalistic effort. Could this have had wider impact? Could Okta have somehow prevented this? Sure, maybe? But the facts presented in the article present nothing that insist Okta had anything to do with it.
Saying that "Okta deserves the bad press because they did get breached recently" isn't fair either.. They're getting plenty of well-deserved press on the actual breaches they had control over. Adding empty logs to the fire isn't helping.
"Hit by another breach" does not mean "responsible for another breach" any more than saying hit by a car means it was the pedestrian's fault. I think it's perfectly accurate to indicate that Okta is the party that has suffered injury when it entrusted data to a third-party that got hacked. We have all seen how the theft of seemingly inconsequential data has left openings that later get exploited in serious hacks. There is the potential for something similar to happen here. The headline, I believe, sets all of this out succinctly.
I respect your opinion to the contrary, but I don't agree with it.
@dangoodin@dazo@arstechnica While I agree that "Hit by another breach" does not mean "responsible for another breach", I don't think the general population understands the difference. Clarity in journalism helps avoid confusion like this.
I am obviously no journalist, but could something like this have been more clear and appropriate?
"Okta, among others, affected by breach of Rightway"
This is both true, and crystal clear in meaning.
My opinion is unchanged, but I respect your thoughtfully worded counter-argument.
@eric_capuano@arstechnica Since @dangoodin is here and tries hard to do good faith reporting on our field, I'll just remind folks that editors, not reporters, choose headline.
Add comment