The identity management software firm Okta has admitted that it made a mistake in the way in which it handled an attack on one of its suppliers by the data extortion hacking group Lapsus$.
In a recently published FAQ, the company provided a full timeline of the incident beginning on January 20 when it first learned that “a new factor was added to a Sitel employee’s Okta account from a new location”. For those unfamiliar, Okta uses Sitel to provide some customer support services to its users.
While the attempt to add a new factor was unsuccessful, Okta still went ahead and reset the account in question and notified Sitel regarding the matter by sharing “indicators of compromise” with the company. From here, Sitel informed Okta that it had “retained outside support from a leading forensic firm”.
According to Okta, the company’s mistake involved believing that Sitel had shared all of the information it had on the incident and letting Sitel’s forensic firm carry out its own investigation. Instead, Okta should have pressed Sitel for more information as the company is its service provider for which it is ultimately responsible.
Investigation results
The forensics firm hired by Sitel delivered its report to the customer support company on March 10 but it wasn’t until a week later on March 17 that Okta received a summary report about the incident from Sitel.
A few days later though, Lapsus$ published screenshots on its Telegram channel claiming that they depicted Okta’s company environment, including internal tickets and in-house Slack chats. It was on this same day that Okta finally received the full report commissioned by Sitel which concluded that there was a “five-day period between January 16-21, where an attacker had access to Sitel”.
Okta provided further details on the incident itself and how it would respond now with all of the information in hand in its FAQ, saying:
“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
While Okta says that it is confident that its own service has not been breached, the Lapsus$ group is likely gearing up to hit another big name target soon despite the fact that seven of its potential operatives were recently arrested in London.
Via The Register
