Delaying Lapsus$ hack disclosure was a mistake, Okta says

Delaying Lapsus$ hack disclosure was a mistake, Okta says

Image:
Delaying Lapsus$ hack disclosure was a mistake, Okta says

It took Okta about two months to receive investigation report from Sitel, third-party supplier of customer support services

Identity and access management firm Okta has acknowledged that it made a mistake in its handling of the disclosure of the security incident from January, in which extortion group Lapsus$ targeted a third-party supplier of customer support services for Okta.

On Friday, the firm released a detailed timeline of the incident in a FAQ post on its website, beginning on January 20 when it noticed that "a new factor" was added to Okta account of a Sitel customer support engineer.

'This factor was a password,' Okta wrote.

Although the attacker's effort to add the additional factor was unsuccessful, Okta reset the account on January 21 and contacted Sitel, which commissioned a leading forensic company to conduct an investigation.

Okta says it had no idea about the scope of the Sitel issue in January, and all it knew was that it had blocked an account takeover attempt.

The firm says it was a mistake assuming that Sitel must have revealed everything important to Okta and then waiting for the findings of the probe Sitel had commissioned, rather than asking it for further details.

"We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible," Okta said, adding that it "would have made a different decision if we had been in possession of all of the facts that we have today".

Since the revelation of the hack, many people have criticised the way Okta handling the situation.

CEO Amit Yoran of Tenable, a cybersecurity firm and an Okta client, wrote an open letter to Okta, noting that the company not only delayed reporting the incident, but also committed several other mistakes in communicating details.

"When you were outed by Lapsus$, you brushed off the incident and failed to provide literally any actionable information to customers," Yoran wrote.

Okta on 22 March confirmed that it was investigating a report of a data breach after the Lapsus$ data extortion group claimed access to its systems. The group posted screenshots in their Telegram channel of what it claimed was Okta's client data.

'For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,' the group said.

At first, Okta CEO Todd McKinnon described the incident as an "attempt" by threat actors to hack the account of a support engineer. But the company later said that the issue might have affected 2.5 per cent of its 15,000 clients, or 366 firms in total.

In a blog post last week, Okta CSO David Bradbury blamed Sitel for the timing of the revelation.

Bradbury expressing his disappointment over the fact that it took Okta two months to receive a report from Sitel, which had engaged a cyber forensic company to investigate.

"As with all security incidents, there are many opportunities for us to improve our processes and our communications," Bradbury concluded.

"I'm confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security."