Okta ‘should have acted faster’ to assess Lapsus$ breach, says CSO

Missed a session at the Data Summit? View on demand here.

Despite an investigation into the breach of a third-party Okta provider being launched on Jan. 21, Okta did not receive a report about the incident until March 17, Okta chief security officer David Bradbury said in a statement on Tuesday.

Okta also didn’t disclose the findings at the time — just publicly revealing details about the incident after the threat actor behind the breach, Lapsus$, posted screenshots this week as evidence of the breach. “We should have gone faster to understand” [the report’s] implications,” Bradbury said.

Earlier on Tuesday, Bradbury disclosed that in January, Lapsus$ had access to the account of a customer service representative who worked for a third-party provider for five days.

In the post about the infringement investigation, Bradbury identified the third-party provider as Sitel, which provides Okta with contract workers for customer support.


The investigation into the breach was conducted by a “leading forensics firm,” Bradbury said. The company was not identified.

The company conducted its investigation from Jan. 21 to Feb. 28, and the report to Sitel was dated March 10, Bradbury said. Okta “received a summary report on the incident from Sitel on March 17,” he said.

“I am deeply disappointed at the length of time that has elapsed between our notification to Sitel and the issuance of the full investigation report,” Bradbury said.

VentureBeat has reached out to Sitel for comment.

In addition, “after we received Sitel’s summary report, we should have acted faster to understand its implications,” Bradbury said.

Bradbury said the “maximum potential impact” is that the breach could have affected 366 customers (about 2.5% of Okta’s 15,000 customers).

The identity and access management provider has not specified how the customers may have been affected.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – may have been affected and whose data may have been viewed or acted upon,” Bradbury said in a separate statement from the investigative post. , which updated the company’s earlier statement about the Lapsus$ infringement.

lapsus$ leaking

The revelations by Okta were in response to screenshots Lapsus$ posted to Telegram showing what the threat actor said as “access to Okta.com Superuser/Admin and various other systems”.

In the updated post Tuesday night, Bradbury reiterated that “the Okta service is fully operational and there are no corrective actions for our customers to take.”

In the updated post, Bradbury said Okta has identified the affected customers and has “already contacted them directly by email”.

“We take our responsibility to protect and secure customer information very seriously,” he said. “Our sincere apologies for the inconvenience and uncertainty this has caused.”

Bradbury added that “While it is not a necessary step for customers, we fully expect them to want to complete their own analysis.”

Important customers

Past customers have included JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s customers disclosed by Okta. In 2017, Okta said the US Department of Justice was a client.

In the original post earlier today on Tuesday, Bradbury acknowledged that “there was a five-day period between January 16 and 21, 2022, during which an attacker had access to a support technician’s laptop.”

“This is consistent with the screenshots we became aware of yesterday,” he said, referring to the screenshots Lapsus$ posted on Telegram.

Bradbury said the “potential impact on Okta customers is limited to the access that support technicians have.”

These technicians “cannot create or delete users, or download customer databases. Support technicians do have access to limited data — for example, Jira tickets and user lists — that were seen in the screenshots,” he said. Facilitate MFA factors for users, but cannot obtain those passwords.”

Series of attacks

In a Telegram post Tuesday, in response to Okta’s statement about the breach, Lapsus$ claimed that “the potential impact on Okta customers is NOT limited.”

“I’m pretty sure that resetting passwords and MFA would result in a complete compromise of many client systems,” the group said. Lapsus$ also claimed that Okta “stored AWS keys in Slack”.

Lapsus$ is believed to be active in South America. In the past month, Microsoft, Nvidia and Samsung Electronics confirmed the threat actor’s data theft.

On Monday, Lapsus$ had claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post Tuesday, Microsoft said Lapsus$ had gained “limited access” to Microsoft systems by compromising a single account. “Our cybersecurity response teams rushed to recover the compromised account and prevent further activity,” Microsoft researchers said.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Okta ‘should have acted faster’ to assess Lapsus$ breach, says CSO

was original published at “https://venturebeat.com/2022/03/22/okta-shouldve-moved-more-swiftly-to-assess-lapsus-breach-cso-says/”