Security vendor Okta suffered a massive breach that it now admits affected “all” of its customers, despite having an ISO 27001 cybersecurity certification that attested to the company’s information security management system.

Initially, Okta dramatically understated the size of the breach. According to TechCrunch, Okta spokesperson Vitor De Souza reported that “around 1% of customers are affected by this breach, but declined to provide a specific number.” Now, however, the company has been forced to walk back that claim entirely, admitting that 100% of clients were affected. Per Axios:

Okta Chief Security Officer David Bradbury [said] that its initial investigation into the incident missed actions that indicate that all Okta certified users were affected during the October attack. The yet-to-be-identified hackers are now believed to have accessed the names, email addresses and other contact information for all Okta customer support users — which includes a large number of company administrators. Some Okta employee information was also exposed in the breach, Bradbury added.

Meanwhile, WIRED reporting highlighted problems in Okta’s response to the incident, and raised questions that Okta has still refused to answer:

Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.

Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.

Despite this, Okta holds ISO 27001 certification for its “information security management system,” which invokes the need to implement a host of controls defined in another document, ISO 27002. That certificate was issued by Schellman, a certification body that is also currently on track to start providing CMMC certifications for the Dept. of Defense’s cybersecurity certification program.

According to the two certificates issued by Schellman, the ISO 27001 certification covered controls related to Okta’s “cloud-based IDaaS platform“, “Okta Customer Identity Platform (formerly Auth0),” and “auxiliary Okta product offerings.”

The media reporting indicates that the breach’s victims specifically include those customers of Okta’s customer identity platform, which was included in the scope of certification purported to have been audited by Schellman.

The certificates issued to Okta bear the accreditation logos of both ANAB and UKAS, and were signed by Schellman principal Ryan Mackie.

Current ISO 27001 certificate issued by Schellman to Okta.

According to Schellman’s webpage, ISO 27001 certification will “assist your organization in managing and protecting valuable data and assets.”

Okta is not alone in having suffered a massive breach while holding ISO 27001 certification. Equifax was subject to the largest breach of consumer credit data in history while holding ISO 27001 certification from Ernst & Young’s certification body, EY CertifyPoint. Investigators found that EY CertifyPoint failed to identify basic lapses in Equifax’s systems, likely since CertifyPoint was auditing the work done by other Ernst & Young auditors for Equifax’s accounting practices. Rules governing certification bodies are supposed to prevent conflicts of interest whereby a CB, such as CertifyPoint, audits the work of a related company, but those rules are unenforced by accreditation bodies.

Bank security company Prosegur was also hacked while holding ISO 27001 certification issued by the Spanish certification body AENOR.

Virginia-based company Miracle Systems was investigated by the US Secret Service after its data was found being traded on the dark web. It held ISO 27001 certification from the certification body AFNOR.

Schellman is listed as a C3PAO certification body for the CMMC program, in which the DoD claims third-party certification of defense industry suppliers will ensure robust protection of confidential defense data. The continued hacks of companies holding third-party certification to ISO 27001, many issued by the same bodies now jockeying to offer CMMC, suggest that such conformity assessment practices have no effect on cybersecurity.

Oxebridge has reached out to Schellman for comment.


Surviving ISO 9001 Book

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.