Okta should’ve ‘moved more swiftly’ to assess Lapsus$ breach, CSO says

Did you miss a session at the Data Summit? Watch On-Demand Here.

Despite an investigation being launched into the breach of a third-party Okta provider on January 21, Okta did not receive a report about the incident until March 17, Okta chief security officer David Bradbury said in a post Tuesday.

Okta also did not disclose the findings at that point — only publicly sharing details about the incident after the threat actor behind the breach, Lapsus$, had posted screenshots as evidence of the breach this week. “We should have moved more swiftly to understand [the report’s] implications,” Bradbury said.

Earlier on Tuesday, Bradbury had disclosed that Lapsus$ had accessed the account of a customer support engineer, who worked for a third-party provider, for five days in January.

In the post about the investigation into the breach, Bradbury identified the third-party provider as Sitel, which provides Okta with contract workers for customer support.


The investigation into the breach was carried out by a “leading forensic firm,” according to Bradbury. The firm was not identified.

From January 21 to February 28, the firm carried out its investigation, and its report to Sitel was dated March 10, Bradbury said. Okta “received a summary report about the incident from Sitel” on March 17, he said.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury said.

VentureBeat has reached out to Sitel for comment.

Additionally, “upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications,” Bradbury said.

Bradbury said that the “maximum potential impact” is that the breach could have impacted 366 customers (roughly 2.5% of Okta’s 15,000 customers).

The identity and access management vendor did not specify how the customers may have been impacted.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,” Bradbury said in a separate post from the investigation post, which updated the company’s earlier statement on the Lapsus$ breach.

Lapsus$ leak

The disclosures by Okta came in response to screenshots posted on Telegram by Lapsus$, showing what the threat actor said was “access to Okta.com Superuser/Admin and various other systems.”

In the updated post Tuesday evening, Bradbury reiterated that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”

In the updated post, Bradbury said that Okta has identified impacted customers and has “already reached out directly by email.”

“We take our responsibility to protect and secure customers’ information very seriously,” he said. “We deeply apologize for the inconvenience and uncertainty this has caused.”

Bradbury added that “while it is not a necessary step for customers, we fully expect they may want to complete their own analysis.”

Major customers

In the past, customers disclosed by Okta have included JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s. In 2017, Okta said that the U.S. Department of Justice was a customer.

In the original post earlier in the day on Tuesday, Bradbury acknowledged that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop.”

“This is consistent with the screenshots that we became aware of yesterday,” he said, referring to the screenshots posted by Lapsus$ on Telegram.

Bradbury said that the “potential impact to Okta customers is limited to the access that support engineers have.”

These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he said. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”

Series of attacks

In a Telegram post Tuesday, responding to Okta’s statement on the breach, Lapsus$ contended that “the potential impact to Okta customers is NOT limited.”

“I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems,” the group said. Lapsus$ also claimed that Okta has been “storing AWS keys within Slack.”

Lapsus$ is believed to operate in South America. Over the past month, Microsoft, Nvidia and Samsung Electronics have confirmed the theft of data by the threat actor.

On Monday, Lapsus$ had claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post Tuesday, Microsoft said that Lapsus$ had gained “limited access” to Microsoft systems by compromising a single account. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft researchers said.

Originally appeared on: TheSpuzz