Back

Okta, Inc.

Case Details

Class Period: March 5, 2021 - March 22, 2022
Date Filed: May 20, 2022
Case Number: 3:22cv02990
Jurisdiction: California Northern District Court
icon-casetype Case Type: Securities Case
Days Left to
Seek Plaintiff:
19

Case Summary

Okta provides identity solutions for enterprises, small and medium-sized businesses, universities, non-profits, and government agencies in the United States and internationally. The Company offers a variety of cybersecurity products and services. Following its completed merger with Auth0, Inc., a Delaware corporation (“Auth0”), on May 3, 2021, Okta began providing additional Auth0 products related to cybersecurity and login solutions. The complaint alleges that, throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operations, and compliance policies. Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (i) Okta had inadequate cybersecurity controls; (ii) as a result, Okta’s systems were vulnerable to data breaches; (iii) Okta ultimately did experience a data breach caused by a hacking group, which potentially affected hundreds of Okta customers; (iv) Okta initially did not disclose and subsequently downplayed the severity of the data breach; (v) all the foregoing, once revealed, was likely to have a material negative impact on Okta’s business, financial condition, and reputation; and (vi) as a result, the Company’s public statements were materially false and misleading at all relevant times. On or around March 21, 2022, hackers known as LAPSUS$ posted screenshots on their Telegram, a cloud-based instant-messaging service, channel showing what they claimed was Okta’s internal company environment. Thereafter, on March 22, 2022, the Company’s Chief Executive Officer, Defendant Todd McKinnon (“McKinnon”), posted a statement on his Twitter account, disclosing that, “[i]n late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors” (emphasis added); that “[t]he matter was investigated and contained by the subprocessor”; that “[w]e believe the screenshots shared online are connected to this January event”; and that, “[b]ased on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.” On this news, Okta’s stock price fell $2.98 per share, or 1.76%, to close at $166.43 per share on March 22, 2022. Later, on March 22, 2022, during after-market hours, in a statement on Okta’s website, the Company’s Chief Security Officer, Defendant David Bradbury (“Bradbury”), disclosed, inter alia, that “[a]fter a thorough analysis of [the LAPSUS$] claims, we have concluded that a small percentage of customers approximately 2.5% have potentially been impacted and whose data may have been viewed or acted upon.” Following Okta’s updated statement, multiple news outlets reported that hundreds of the Company’s clients were potentially affected by the January 2022 data breach. For example, on March 23, 2022, CNN published an article entitled “Okta concedes hundreds of clients could be affected by breach[,]” noting that, despite the Company’s statement that “a small percentage of customers approximately 2.5% have potentially been impacted[,]” the Company “has over 15,000 customers, according to its website.” That same day, Reuters and others published similar reports. Separately, Okta was downgraded by Raymond James from “strong buy” to “market perform,” noting, among other things, that “[w]hile partners were willing to trust Okta’s track record, the handling of its latest security incident adds to our mounting concerns.” Following Okta’s after-market update and Raymond James downgrade, the Companys stock price fell $17.88 per share, or 10.74%, to close at $148.55 per share on March 23, 2022.

Documents
Complaint