So if I'm reading this right, Okta was aware of a "compromise" of one of their sub-processors that impacted an unknown number of their customers/end users. They then waited more than 2 months before performing their own rudimentary analysis of the audit log to see what actions that sub-processor may have taken during the "compromise".
Their CSO writes, "Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel."
IANAL and these are only my opinions but it seems like:
(a) Their DPO chose not to notify (GDPR Art. 33) without having the full picture or thought waiting several months for sub-processor's report was a justifiable reason for delaying notification
(b) They failed to perform their own basic forensic activities in light of a "compromise" and only reviewed logs on March 22nd
(c) Have terrible taste in naming their support app "Super User"
In my opinion they are also down playing the importance of the data that may have been compromised. For example do the hackers now know which accounts have MFAs attached to and which don't. What the password policies are (e.g. strength, number attempts, etc.)
I think the issue is that they just wouldn’t know. They didn’t know which customers were impacted. They didn’t know which users personal data might have been compromised. They most likely don’t have the ability to determine whether a user is a EU resident or not as this information would reside with their customers HR systems which all points to having to notify to avoid the legal complications.
IANAL but this definitely seems like a breach of Art 33 of GDPR as it meets the criteria of involving personal data (list of users was exposed) and the 72 hour window has passed.
I'm no expert here but I thought it was the other way around. I remember seeing Rocket Internet clone several US based startups in the European market successfully. Either in selling them back to the original startup or dominating the market e.g. Zalando
I worked for Rocket Internet for 6 months one year and if you get beaten by them you deserve to lose. You can safely forget about them if you are good.
I was approached by Rocket internet to be a CEO of one of their companies and after asking me the type of company I wouldn't be interested in (I said "health/beauty, B2C") they still went on to offer me the role of CEO of a B2C teeth straightening company
Utterly bizarre, they weren't listening to a word I said yet wanted me to lead one of their companies?!
Beekeeper | Software Engineer (Interns + Graduates + Experienced) | Zurich, Switzerland | ONSITE, Full Time
Beekeeper is a fast growing, mobile-first SaaS company disrupting the way 2 billion people working "out in the field" communicate. We have an amazing team made up people from over 18 different countries who are passionate about shaping the future of industries like hospitality, retail, manufacturing and transportation.
Beekeeper | Software Engineer (Interns + Graduates + Experienced) | Zurich, Switzerland | ONSITE, Full Time
Beekeeper is a fast growing, mobile-first SaaS company disrupting the way 2 billion people working "out in the field" communicate. We have an amazing team made up people from over 18 different countries who are passionate about shaping the future of industries like hospitality, retail, manufacturing and transportation.
I never silently pass on exceptions any more as I've been bitten by way too many edge cases. You could imagine the case where your example is run by a different user to the owner of temp_file and fails to remove it due to permission issues. In my opinion you should at least log some sort of message here.
So I use almost exactly the same approach except in the VPN configuration options (I use Ubuntu 12.04) I just set the search domain to my-internal-name.blah, as well as, making sure the VPN connection is only used for resources on its own network.
Then as part of my bootstrapping I register the VPC instance's internal-ip address on route53 under the my-internal-name.blah zone.
Their CSO writes, "Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel."
IANAL and these are only my opinions but it seems like:
(a) Their DPO chose not to notify (GDPR Art. 33) without having the full picture or thought waiting several months for sub-processor's report was a justifiable reason for delaying notification
(b) They failed to perform their own basic forensic activities in light of a "compromise" and only reviewed logs on March 22nd
(c) Have terrible taste in naming their support app "Super User"
In my opinion they are also down playing the importance of the data that may have been compromised. For example do the hackers now know which accounts have MFAs attached to and which don't. What the password policies are (e.g. strength, number attempts, etc.)