There's been another development in the Lapsus$ saga
Okta waited on a service provider when it should have taken action
The identity management software firm Okta has admitted that it made a mistake in the way in which it handled an attack on one of its suppliers by the data extortion hacking group Lapsus$.
In a recently published FAQ, the company provided a full timeline of the incident beginning on January 20 when it first learned that “a new factor was added to a Sitel employee’s Okta account from a new location”. For those unfamiliar, Okta uses Sitel to provide some customer support services to its users.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
While the attempt to add a new factor was unsuccessful, Okta still went ahead and reset the account in question and notified Sitel regarding the matter by sharing “indicators of compromise” with the company. From here, Sitel informed Okta that it had “retained outside support from a leading forensic firm”.
According to Okta, the company's mistake involved believing that Sitel had shared all of the information it had on the incident and letting Sitel's forensic firm carry out its own investigation. Instead, Okta should have pressed Sitel for more information as the company is its service provider for which it is ultimately responsible.
Investigation results
The forensics firm hired by Sitel delivered its report to the customer support company on March 10 but it wasn't until a week later on March 17 that Okta received a summary report about the incident from Sitel.
A few days later though, Lapsus$ published screenshots on its Telegram channel claiming that they depicted Okta’s company environment, including internal tickets and in-house Slack chats. It was on this same day that Okta finally received the full report commissioned by Sitel which concluded that there was a “five-day period between January 16-21, where an attacker had access to Sitel”.
Okta provided further details on the incident itself and how it would respond now with all of the information in hand in its FAQ, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
While Okta says that it is confident that its own service has not been breached, the Lapsus$ group is likely gearing up to hit another big name target soon despite the fact that seven of its potential operatives were recently arrested in London.
- We've also featured the best endpoint protection software and the best antivirus
Via The Register
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.