As Lapsus$ comes back from 'vacation,' Sitel clarifies position on data breach

Lapsus$ also claims to have compromised a software solutions provider.
Written by Charlie Osborne, Contributing Writer

Sitel has published an update concerning a recent security incident involving the Lapsus$ hacking group and Okta. 

Following the circulation of screenshots by the Lapsus$ group on March 22, which appeared to show unauthorized access to Okta accounts and potentially privileged information, Okta launched an investigation. Sitel, an Okta subprocessor, was named as the third-party responsible for the security breach. 

Okta says that Lapsus$ may have impacted up to 366 customers in January 2022. Over five days, Lapsus$ had access to an Okta.com Superuser/Admin account reportedly owned by a Sitel customer support engineer. Okta has since said the company "made a mistake" by not informing customers sooner. 

"Sitel is our service provider for which we are ultimately responsible," the company commented. "In January, we did not know the extent of the Sitel issue -- only that we detected and prevented an account takeover attempt and that Sitel had retained a third-party forensic firm to investigate."

On March 29, Sitel published a statement on the cyberattack, having said little more previously that an investigation was ongoing. Sitel says it is "cooperating with law enforcement on this ongoing investigation and are unable to comment publicly on some of the details of the incident."

However, the company has said that the incident was related to the "legacy Sykes network only."

Documents obtained by cybersecurity researcher Bill Demirkapi and viewed by TechCrunch, including a Mandiant forensics report, suggest that attackers were able to access a spreadsheet containing passwords for domain administrator accounts. Sitel claims the document "listed account names from legacy Sykes but did not contain any passwords" but did not provide any further details. 

"The Sitel Group Security team believes there is no longer a security risk regarding this incident," Sitel added. "Even after the completion of the initial investigation, Sitel Group continues to work in partnership with our cybersecurity partner to assess potential security risks to both the Sitel Group infrastructure and to the brands Sitel Group supports around the globe."

After taking a "vacation," Lapsus$ has begun publishing new content on the hacking group's Telegram chat. 

On March 30, Lapsus$ claimed to have compromised Globant, a software development firm headquartered in Buenos Aires, Argentina. The threat actors allege that they have managed to steal client source code and have published a 70GB torrent file. 


ZDNet has reached out to Globant, and we will update when we hear back. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards