Okta says 366 business customers, or about 2.5% of its customer base, were affected by a security breach that allowed hackers to access the company’s internal network.
The authentication giant admitted the compromise after hacking and extortion group Lapsus$ posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.
The breach was initially attributed to an unnamed sub-processor that provides customer support services to Okta. In an updated statement on Wednesday, Okta’s chief of security, David Bradbury, confirmed that the subprocessor is a company called Sykes, which was acquired last year by Miami-based contact center giant Sitel.
Customer service companies such as Sykes and Sitel often have broad access to the organizations they support to facilitate customer requests. Malicious hackers have previously targeted customer support companies, which often have weaker cybersecurity than some of the highly secured companies they support. Microsoft and Roblox have both experienced similar targeted compromises from customer support agent accounts leading to access to their internal systems.
In the case of Okta, the Lapsus$ hackers were on Sitel’s network for five days during January 16-21, 2022, according to Bradbury, until the hackers were detected and booted off the network.
Okta faced significant criticism from the wider security industry for the way the compromise was handled and the months-long delay in notifying customers, finding out at the same time the news broke on social media. According to Bradbury, Sitel engaged an undisclosed forensics company for the investigation, which concluded on March 10. Just a week later, the report was handed over to Okta on March 17.
Bradbury said he is “deeply disappointed by the length of time that has elapsed between our notification to Sitel and the issuance of the full investigation report”, admitting Okta “should have acted faster” to understand the implications of the report.
But an email from a Sitel representative disputed how Okta characterized the report, saying the security breach “did not affect legacy Sitel Group systems or networks; only the legacy Sykes network was affected.” (The Sitel representative declared their email “off the record,” requiring both parties to agree to the terms in advance. We’re printing the responses because we haven’t had a chance to decline.) The email also stated that the Sitel has no evidence of a data breach, but declined to say whether it has the resources, such as log files, to determine what data the attackers accessed or possibly exfiltrated. investigated the infringement.
A previous statement attributed to Sitel spokesperson Rebecca Sanders said: “As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk. We are unable to comment on our relationship with specific brands. or the nature of the services we provide to our customers.”
Okta has not yet responded to thenewsupdate’s questions about the breach.