Okta has admitted it “made a mistake” by not telling customers sooner about a security breach in January, in which hackers were able to access the laptop of a third-party customer support engineer.
The Lapsus$ hacking group published screenshots of Okta’s systems on March 22, taken from the laptop of a Sitel customer support engineer which the hackers had remote access to on January 20.
“We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,” Okta said in an FAQ it published on Friday, under the heading ‘Why didn’t Okta notify customers in January?’.
On January 20, Okta said, it saw an attempt to directly access the Okta network using a Sitel employee’s Okta account, which was detected and blocked by Okta, which then notified Sitel. Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems, it said.
Okta is an important enterprise access management software vendor. It said that only 366 customers, about 2.5% of its customers, were affected. However there have been questions as to why customers did not know about the incident sooner.
In its FAQ Okta said: “In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
The company has provided a detailed timeline of events from January 20 — when it received an alert that a new factor was added to a Sitel employee’s Okta account — to March 22 — the date Lapsus$ published the screenshots it grabbed.
Sitel hired an unnamed forensic company to investigate the breach on January 21, which concluded it on February 28.
The forensic report to Sitel is dated March 10 and Okta received a summary of that report on March 17, according to Okta’s timeline.
After the screenshots were published Okta’s chief security officer David Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report.”