Okta on handling of Lapsus$ breach: ‘We made a mistake’

Okta has released an apology for its handling of the January breach of a third-party support provider, which may have impacted hundreds of its customers.

The identity security vendor “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach, the company said in the unsigned statement, included as part of an FAQ posted on the Okta website today.

The apology follows a vigorous debate in the cybersecurity community in recent days over Okta’s lack of disclosure for the two-month-old incident. The breach impacted support contractor Sitel, which gave the hacker group Lapsus$ the ability to access as many as 366 Okta customers, according to Okta.

The Okta FAQ goes further than previous public communications to say that the company made imperfect choices in its handling the incident — though the statement stops short of saying that Okta believes it should have disclosed what it knew sooner.

“We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible,” the statement in the FAQ says.

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers,” the Okta statement says. “We should have more actively and forcefully compelled information from Sitel.”

“In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today,” Okta says in the statement.

The apology and explanation were framed as a response to the question, “Why didn’t Okta notify customers in January?” VentureBeat has reached out to Sitel for comment.

Slow to disclose?

The FAQ statement follows criticism by some of Okta’s handling of the incident. At Tenable, a cybersecurity firm and Okta customer, CEO Amit Yoran issued an “Open Letter to Okta,” in which he said the vendor was not only slow to disclose the incident, but made a series of other missteps in its communications as well.

“When you were outed by LAPSUS$, you brushed off the incident and failed to provide literally any actionable information to customers,” Yoran wrote.

Meanwhile, Jake Williams, a well-known cybersecurity consultant and faculty member at IANS, wrote on Twitter that based upon Okta’s handling of the Lapsus$ incident, “I honestly don’t know how Okta regains the trust of enterprise orgs.”

Okta, a prominent identity authentication and management vendor, has seen its stock price drop 19.4% since the disclosure.

The company disclosed this week that Lapsus$ accessed the laptop of a Sitel customer support engineer from January 16-21, giving the threat actor access to up to 366 customers.

However, Okta did not disclose anything about the incident until Tuesday, and only then in response to Lapsus$ posting screenshots on Telegram as evidence of the breach.

Okta CSO David Bradbury had previously pointed the finger at Sitel for the timing of the disclosure. In a blog post, Bradbury said he was “greatly disappointed” by the fact that it took two months for Okta to receive a report on the incident from Sitel, which had hired a cyber forensic firm to investigate. (Sitel has declined to comment on that point.)

Bradbury had previously issued an apology, though not directly referring to Okta’s handling of the incident. “We deeply apologize for the inconvenience and uncertainty this has caused,” he had said in an earlier post.

The Okta CSO had also earlier said that after receiving a summary report from Sitel on March 17, the company “should have moved more swiftly to understand [the report’s] implications.”

The FAQ posted today does not provide new details on how customers may have been impacted by the breach. Okta’s statement does emphasize that the company believes Sitel — and therefore, Lapsus$ — would not have been able to download customers’ databases, or create/delete users.

No evidence prior to January 20

Okta’s timeline for the incident starts at January 20 (a timeline that was replicated in the FAQ post). However, Lapsus$ was able to access the third-party support engineer’s laptop from January 16-21, Okta has said, citing the forensic report. Some had suggested to VentureBeat that this left the first few days of the breach unaccounted for.

In the FAQ — in response to the question of “what happened from January 16 through January 20?” — Okta suggested it does not have evidence of anything malicious happening to Okta’s systems or customers during that time period.

“On January 20, Okta saw an attempt to directly access the Okta network using a Sitel employee’s Okta account. This activity was detected and blocked by Okta, and we promptly notified Sitel, per the timeline above,” Okta says in the FAQ, referring to the alert that led to the company becoming aware of the Lapsus$ intrusion.

“Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems,” the FAQ says.

VentureBeat has reached out to Okta for comment.

The alert on January 20 was triggered by a new factor, a password, being added to the Okta account of a Sitel employee in a new location. Okta also says it “verified” the five-day time period for the intrusion by “reviewing our own logs.”

‘Confident’ in conclusions

In response to the question of “what data/information was accessed” during that five-day period, Okta did not provide new specifics, and reiterated previous points about the fact that the support engineers at Sitel have “limited” access.

Echoing earlier statements, Okta said that such third-party engineers cannot create users, delete users or download databases belonging to customers.

“Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to choose those passwords,” Okta said in the FAQ. “In order to take advantage of this access, an attacker would independently need to gain access to a compromised email account for the target user.”

Ultimately, “we are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers,” Okta said. “We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.”

Okta added in the FAQ that it has contacted all customers that were potentially impacted by the incident, and “we have also notified non-impacted customers.”

Bloomberg reported Wednesday that Lapsus$ is headed by a 16-year-old who lives with his mother in England. Yesterday, the BBC reported that the City of London Police have arrested seven teenagers in connection with the Lapsus$ group.

It was unknown whether the group’s leader was among those arrested. Lapsus$ most recently posted on its Telegram account earlier today.