• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

Okta and 23andMe a new public relations tactic in disclosure?

December 19, 2023

I’m starting to wonder if we’re going to see a new tactic for US based companies where they report an initial breach and then report the full extent of the breach later at a more opportune time.

We’ve already seen this whether intentionally or unintentionally with the breaches of Okta and 23andMe. Both reported a small amount of their use base was impacted. Then several weeks later came out and reported it as much larger. It would be an interesting tactic especially since the new SEC rules are now in place as of December 15, 2023, requiring companies to report a material cybersecurity incident within four business days.

Public Relations (PR) departments have always looked for ways to limit the impact of a breach hitting the news wire. They’ll often release bad news on holidays or around other major events. Caesars did while the MGM breach was hot in the news cycle. They released their own breach by the same threat actor. A couple months removed and most people only remember the MGM breach.

I’m in the security news bubble so it’s hard to say if this tactic is working. Okta is a company that’s in the security space so most people outside of security don’t care about it. 23andMe is a DNA testing service for health and ancestry discovery and it’s still early to determine the effectiveness of their PR mitigation.

Looking at it from the companies perspective, we have asked for more transparency from companies on breaches. That could be what we’re getting here. They’re providing additional information for disclosure purposes and education purposes. Being honest and conscientious is not always reward in the media. There are companies who will do the right thing but are others who will not.

I think it is a new tactic and I’ll be curious to see if more companies start trying the strategy of releasing an initial compromised and then coming back later to, “correct” it. Especially, in the case of 23andMe who has decided to update their Terms of Service to include litigation protection for themselves. It just looks bad.

This blog post first appeared on Exploring Information Security.

In Opinion Tags Hack, Okta, 23andMe, PR, MGM, Caesars
Comment

Latest PoDCASTS

Featured
Oct 7, 2025
How to Prepare a Presentation for a Cybersecurity Conference
Oct 7, 2025
Oct 7, 2025
Sep 23, 2025
Exploring the Rogue AI Agent Threat with Sam Chehab
Sep 23, 2025
Sep 23, 2025
Sep 16, 2025
A conversation with Kyle Andrus on Info Stealers and Supply Chain Attacks
Sep 16, 2025
Sep 16, 2025
Sep 9, 2025
The Winding Path to CISO: Rob Fuller's Leadership Journey
Sep 9, 2025
Sep 9, 2025
Sep 2, 2025
Kate Johnson's Winding Path to a Director Role in Cybersecurity
Sep 2, 2025
Sep 2, 2025
Aug 26, 2025
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Aug 26, 2025
Aug 26, 2025
Aug 19, 2025
How to Launch Your Own Cybersecurity Podcast
Aug 19, 2025
Aug 19, 2025
Aug 12, 2025
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Aug 12, 2025
Aug 12, 2025
Aug 5, 2025
[RERELEASE] What it's like in the SECTF sound booth
Aug 5, 2025
Aug 5, 2025
Jul 29, 2025
[RERELEASE] How to network in information security - part 2
Jul 29, 2025
Jul 29, 2025

Powered by Squarespace