[jbrownbridge]

So if I'm reading this right, Okta was aware of a "compromise" of one of their sub-processors that impacted an unknown number of their customers/end users. They then waited more than 2 months before performing their own rudimentary analysis of the audit log to see what actions that sub-processor may have taken during the "compromise".

Their CSO writes, "Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel."

IANAL and these are only my opinions but it seems like:

(a) Their DPO chose not to notify (GDPR Art. 33) without having the full picture or thought waiting several months for sub-processor's report was a justifiable reason for delaying notification

(b) They failed to perform their own basic forensic activities in light of a "compromise" and only reviewed logs on March 22nd

(c) Have terrible taste in naming their support app "Super User"

In my opinion they are also down playing the importance of the data that may have been compromised. For example do the hackers now know which accounts have MFAs attached to and which don't. What the password policies are (e.g. strength, number attempts, etc.)

[chippiewill]

The compromised tenant looks like it was specifically _not_ one of the EMEA ones so GDPR wouldn't be relevant here.

[jbrownbridge]

I think the issue is that they just wouldn’t know. They didn’t know which customers were impacted. They didn’t know which users personal data might have been compromised. They most likely don’t have the ability to determine whether a user is a EU resident or not as this information would reside with their customers HR systems which all points to having to notify to avoid the legal complications.

[EwanToo]

If the tenant had 1 or more European employees in their system, then yes GDPR is likely relevant.