Okta said that Lapsus$ — believed to be based in South America — gained access to certain customer data through a third-party contractor in January 2022. In a statement, Okta Chief Security Officer David Bradbury provided a timeline of key events surrounding the incident. Bradbury also reassured customers that Okta itself was not breached, and that its customers do not need to take any action on their end.
Okta Sub-Processor Sitel Targeted
On March 22, the prolific ransomware group Lapsus$ posted screenshots on its Telegram channel, claiming it contained Okta customer data. Okta’s new statement puts forward the company’s view of the incident based on its own investigations, as well as that of Sitel, the compromised sub-processor. “The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard,” Bradbury said. Okta has a contract with Sitel for customer support engineers. According to Bradbury, one of Sitel’s engineers was the source of the leaked screenshots. The attackers apparently gained access to the support engineer’s computer through RDP (Remote Desktop Protocol), and took the screenshots from the compromised system. “Okta Security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account,” Bradbury said in a statement. “This factor was a password. Although that individual attempt was unsuccessful, out of an abundance of caution, we reset the account and notified Sitel who engaged a leading forensic firm to perform an investigation.”
Lapsus$ had Limited Access to Okta Information
Bradbury was quick to point out that the attackers did not have “god-like access” to its customers. In fact, customer support engineers have very basic levels of access. This is limited to the basic functions for handling inbound queries. Bradbury added that support engineers “are granted only the specific access they require to perform their roles.” Therefore, Lapsus$ never had the ability to create or delete users, download customer databases, or access Okta’s source code repositories, the company said. However, Okta and Sitel both confirmed that Lapsus$ had access to the latter’s environment between January 16 to 21. Okta estimates that, in the worst-case scenario, Lapsus$ had access to 366 customers — approximately 2.5% of Okta’s total customer base.
Timeline of Key Events
Bradbury’s latest statement contains some insight regarding the response times of both Okta and Sitel. Below is a timeline of the key events: Bradbury expressed his disappointment at Sitel for not acting sooner after receiving Okta’s notification. He added that Okta could have acted faster after receiving Sitel’s summary report.