Okta on handling of Lapsus$ infringement: ‘We made a mistake’
We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more
Okta has apologized for handling the January breach of a third-party support provider, which may have affected hundreds of its customers.
The identity security provider “made a mistake” in its response to the incident and “should have been more active and forceful in enforcing information” about what happened in the breach, the company said in the unsigned statement, included as part of an FAQ posted today on the Okta website.
The apology follows a heated debate in the cybersecurity community in recent days about Okta’s lack of disclosure of the two-month-old incident. The breach affected support contractor Sitel, who gave hacker group Lapsus$ access to as many as 366 Okta customers, according to Okta.
Okta’s FAQs go beyond past public statements and state that the company made imperfect choices in handling the incident, though the statement doesn’t say Okta believes it should have disclosed what it knew sooner.
“We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible,” the statement in the FAQ reads.
“In January, we didn’t know the magnitude of the Sitel problem — only that we discovered and prevented an account takeover attempt and that Sitel hired a third-party forensics company to investigate. At the time, we didn’t realize there was a risk to Okta and our customers,” Okta’s statement said. “We should get more active and powerful information from Sitel.”
“In light of the evidence we have gathered over the past week, it is clear that if we had been in possession of all the facts we have today, we would have made a different decision,” Okta said in the statement.
The apology and explanation were intended to answer the question, “Why didn’t Okta notify customers in January?” VentureBeat has reached out to Sitel for comment.
Make it known slowly?
The FAQ statement follows criticism of Okta’s handling of the incident. At Tenable, a cybersecurity company and Okta customer, CEO Amit Yoran issued an “Open Letter to Okta,” in which he said the seller was not only slow to publicize the incident, but also made a series of other missteps in his communications.
“When you were laughed at by LAPSUS$, you brushed off the incident and literally failed to provide any useful information to customers,” Yoran wrote.
Meanwhile, Jake Williams, a noted cybersecurity consultant and faculty member at IANS, wrote on Twitter that based on Okta’s handling of the Lapsus$ incident, “I honestly don’t know how Okta is regaining the trust of corporate organizations.”
Okta, a leading provider of identity verification and management, has seen its share price fall 19.4% since the disclosure.
The company announced this week that Lapsus$ had access to the laptop of a Sitel customer support technician from Jan. 16-21, giving the threat actor access to up to 366 customers.
However, Okta didn’t disclose the incident until Tuesday, and only then in response to Lapsus$ posting screenshots to Telegram as evidence of the breach.
Okta CSO David Bradbury had previously pointed the finger at Sitel for timing the reveal. In a blog afterBradbury said he was “deeply disappointed” by the fact that it took Okta two months to receive a report about the incident from Sitel, which had hired a cyber forensics firm to investigate. (Sitel has declined to comment on that point.)
Bradbury had previously apologized but made no direct reference to Okta’s handling of the incident. “We sincerely apologize for the inconvenience and uncertainty this has caused,” he said in an earlier post after†
The Okta CSO had also previously said that after receiving a summary report from Sitel on March 17, the company “should have acted faster to understand [the report’s] implications.”
The FAQ posted today does not provide any new details about how customers may have been affected by the breach. Okta’s statement emphasizes that the company believes Sitel – and thus Lapsus$ – would not have been able to download customer databases or create/delete users.
No proof before January 20
oktas timeline for the incident starting January 20 (a timeline that was reiterated in the FAQ post). However, Lapsus$ had access to the remote support technician’s laptop Jan. 16-21, Okta said, citing the forensic report. Some had suggested to VentureBeat that this didn’t explain the first few days of the breach.
In the FAQ – in response to the question “what happened from January 16 to January 20?” — Okta suggested it has no evidence that anything malicious happened to Okta’s systems or customers during that time.
“On January 20, Okta saw an attempt to directly access the Okta network using the Okta account of a Sitel employee. This activity was detected and blocked by Okta, and we notified Sitel immediately, according to the timeline above,” Okta says in the FAQ, citing the warning that led the company to become aware of the Lapsus$ intrusion. .
“Apart from that attempted access, there was no other evidence of suspicious activity in Okta systems,” the FAQ says.
VentureBeat has reached out to Okta for comment.
The January 20 warning was triggered by a new factor, a password, which was added to the Okta account of a Sitel employee in a new location. Okta also says it “verified” the five-day period before the break-in by “looking at our own logs.”
‘Confident’ in conclusions
When asked “what data/information was accessed” during that five-day period, Okta provided no new details and reiterated previous points about Sitel’s support engineers having “limited” access.
Echoing previous statements, Okta said such third-party engineers cannot create users, delete users, or download customer databases.
“Support engineers can also facilitate password resets and multi-factor authentication factors for users, but cannot choose those passwords,” Okta said in the FAQ. “To take advantage of this access, an attacker would have to independently access a compromised email account for the target user.”
Ultimately, “we are confident in our conclusions that the Okta service has not been breached and that our customers do not need to take corrective action,” Okta said. “We are confident in this conclusion because Sitel (and thus the threat actor who only had the access Sitel had) was unable to create or delete users, or download customer databases.”
Okta added in the FAQ that it has contacted all customers who may have been affected by the incident, and “we have also notified non-affected customers.”
Bloomberg reported On Wednesday, Lapsus$ is run by a 16-year-old who lives with his mother in England. Yesterday, the BBC reported that the City of London police have arrested seven teenagers in connection with the Lapsus$ group.
It was not known if the leader of the group was among those arrested. Lapsus$ most recently posted on his Telegram account earlier today.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more