Okta: We made a mistake over Lapsus$ breach notification

Okta says it was wrong to not tell customers about the January breach sooner, but it said it did not know the extent of the issue.
Written by Liam Tung, Contributing Writer

Okta has admitted it "made a mistake" by not telling customers sooner about a security breach in January, in which hackers were able to access the laptop of a third-party customer support engineer.

The Lapsus$ hacking group published screenshots of Okta's systems on March 22, taken from the laptop of a Sitel customer support engineer, which the hackers had remote access to on January 20. 

"We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn't recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel," Okta said in an FAQ it published on Friday, under the heading 'Why didn't Okta notify customers in January?'.

SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays

On January 20, Okta said, it saw an attempt to directly access the Okta network using a Sitel employee's Okta account, which was detected and blocked by Okta, which then notified Sitel. Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems, it said.

Okta is an important enterprise access management software vendor. It said that only 366 customers, about 2.5% of its customers, were affected. However, there have been questions as to why customers did not know about the incident sooner. 

In its FAQ, Okta said: "In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today."

The company has provided a detailed timeline of events from January 20 – when it received an alert that a new factor was added to a Sitel employee's Okta account – to March 22, which is the date Lapsus$ published the screenshots it grabbed. 

Sitel hired an unnamed forensic company to investigate the breach on January 21, which concluded its work on February 28. 

The forensic report to Sitel is dated March 10 and Okta received a summary of that report on March 17, according to Okta's timeline. 

After the screenshots were published, Okta's chief security officer David Bradbury said he was "greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report."  

Editorial standards