Okta on handling of Lapsus$ breach: ‘We made a mistake’

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn More


Okta has released an apology for its handling of the January breach of a third-party support provider, which may have impacted hundreds of its customers.

The identity security vendor “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach, the company said in the unsigned statement, included as part of an FAQ posted on the Okta website today.

The apology follows a vigorous debate in the cybersecurity community in recent days over Okta’s lack of disclosure for the two-month-old incident. The breach impacted support contractor Sitel, which gave the hacker group Lapsus$ the ability to access as many as 366 Okta customers, according to Okta.

The Okta FAQ goes further than previous public communications to say that the company made imperfect choices in its handling the incident — though the statement stops short of saying that Okta believes it should have disclosed what it knew sooner.

“We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible,” the statement in the FAQ says.

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers,” the Okta statement says. “We should have more actively and forcefully compelled information from Sitel.”

“In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today,” Okta says in the statement.

The apology and explanation was framed as a response to the question, “Why didn’t Okta notify customers in January?” VentureBeat has reached out to Sitel for comment.

Slow to disclose?

The FAQ statement follows criticism by some of Okta’s handling of the incident. At Tenable, a cybersecurity firm and Okta customer, CEO Amit Yoran issued an “Open Letter to Okta,” in which he said the vendor was not only slow to disclose the incident, but made a series of other missteps in its communications as well.

“When you were outed by LAPSUS$, you brushed off the incident and failed to provide literally any actionable information to customers,” Yoran wrote.

Meanwhile, Jake Williams, a well-known cybersecurity consultant and faculty member at IANS, wrote on Twitter that based upon Okta’s handling of the Lapsus$ incident, “I honestly don’t know how Okta regains the trust of enterprise orgs.”

Okta, a prominent identity authentication and management vendor, disclosed this week that Lapsus$ accessed the laptop of a Sitel customer support engineer from January 16-21.

However, Okta did not disclose anything about the incident until Tuesday, and only then in response to Lapsus$ posting screenshots on Telegram as evidence of the breach.

Okta CSO David Bradbury had previously pointed the finger at Sitel for the timing of the disclosure. In a blog post, Bradbury said he was “greatly disappointed” by how long it took for Okta to receive a report on the incident from Sitel, which had hired a cyber forensic firm to investigate. Sitel declined to comment on that point.

Bradbury had previously issued an apology, though not directly referring to Okta’s handling of the incident. “We deeply apologize for the inconvenience and uncertainty this has caused,” he had said in the earlier post.

The Okta CSO had also earlier said that after receiving a summary report from Sitel on March 17, the company “should have moved more swiftly to understand [the report’s] implications.”

The FAQ does not provide new details on how customers may have been impacted by the breach.

No evidence prior to January 20

Okta’s timeline for the incident starts at January 20, but Lapsus$ was able to access the third-party support engineer’s laptop from January 16-21, Okta has said, citing the forensic report. Some had suggested to VentureBeat that this left the first few days of the breach unaccounted for.

In the FAQ — in response to the question of “what happened from January 16 through January 20?” — Okta suggested it does not have evidence of anything malicious happening to Okta’s systems or customers during that time period.

“On January 20, Okta saw an attempt to directly access the Okta network using a Sitel employee’s Okta account. This activity was detected and blocked by Okta, and we promptly notified Sitel, per the timeline above,” Okta says in the FAQ, referring to the incident that led to the company becoming aware of the Lapsus$ intrusion.

“Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems,” the FAQ says.

VentureBeat has reached out to Okta for comment.

This is a developing story and will be updated.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More

Source

Follow me on Twitter:

Leave a Comment