Okta’s Delay in Notifying its Customers of a Breach is Authentic

RISKS

What happened

In March 2022, Okta stated that 366 corporate customers, or about 2.5% of its customer base of 15,000 business and institution customers, were impacted by a security breach that allowed hackers to access the company’s internal network.

The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.

The breach was initially blamed on an unnamed subcontractor that provides customer support services to Okta. In an updated statement on March 23rd, Okta’s chief security officer (CSO) David Bradbury confirmed the subcontractor is a company called Sykes, which last year was acquired by Miami-based contact center giant Sitel.

According to Bradbury’s statement, here is the timeline of the identification of the breach and the notification process:

• January 20, 2022, 23:18 – Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.
• January 20, 2022, at 23:46 – Okta Security investigated the alert and escalated it to a security incident.
• January 21, 2022, at 00:18 – The Okta Service Desk was added to the incident to assist with containing the user’s account.
• January 21, 2022, at 00:28 – The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
• January 21, 2022, at 18:00 – Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
• January 21, 2022, to March 10, 2022 – The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
• March 17, 2022 – Okta received a summary report about the incident from Sitel
• March 22, 2022, at 03:30 – Screenshots shared online by LAPSUS$
• March 22, 2022, at 05:00 – Okta Security determined that the screenshots were related to the January incident at Sitel
• March 22, 2022, at 12:27 – Okta received the complete investigation report from Sitel

Bradbury also noted that their “investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP. This device was owned and managed by Sitel. The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has
(virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.” He also stated: “The report from the forensic firm highlighted that there was a five-day window of time between January 16-21, 2022 when the threat actor had access to the Sitel environment, which we validated with our own analysis.” Okta has cut off ties with Sitel. Okta has since developed and deployed hardened laptops for all customer support personnel. Access to all client instances now requires re-authentication as well.

In addition to Okta, since December 2021, the Lapsus$ group has also claimed to have accessed or stolen data from NVIDIA, Vodafone, Samsung, Ubisoft, LG Electronics and Microsoft.

Why is this important?

This is important in two ways. First, the fact that Okta’s customer data was accessed through a subcontractor and not directly from Okta itself shows how hackers are good at finding the weakest links to gain access into your systems.

Second, the delay in notifying its customers (only notifying them once Lapsus$ posted the screen shots) has put Okta into a difficult situation with them. The cloudinfrastructure and security provider Cloudflare Inc. publicly discussed dumping Okta as a vendor and published its own blog post with tips on how security teams should hunt for threats. Amit Yoran, chief executive of security firm Tenable Inc., wrote in a LinkedIn post on March 23rd that the breach should have been disclosed either in January or after a timely forensic analysis and stated “As a customer, all we can say is that Okta has not contacted us.”

What does this mean to me?

Security management doesn’t stop with your own employees, it extends to every third party that also has access to your data. Not only that, but the manner and speed in which you respond to incidents and notify potentially impacted parties about breaches can impact the fallout over those incidents.

APPROACHES

Helpful Controls

• Third-Party Risk Management & Vendor Assessment Services
• Incident Response Readiness (IRR)

Commonality of attack

High

Article on story

Okta says hundreds of companies impacted by security breachFBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.