The forensic investigation into the March 2022 leak of Okta’s customer data by the Lapsus$ cyber crime gang has concluded that its impact was significantly less serious than it had initially feared.
It had been thought that Lapsus$ took control of a Sitel customer support agent’s workstation by exploiting the remote desktop protocol (RDP) service between 16 and 21 January 2022, from where they were able to access the records of about 360 companies, representing less than 3% of Okta’s customer base.
However, it has now found that Lapsus$ actively controlled the Sitel workstation for just 25 minutes on 21 January, and during that very limited window, accessed just two active customer tenants within the SuperUser application, and viewed limited additional information in Slack and Jira that could never have been used to perform actions in Okta customer tenants.
Lapsus$ was not able to perform any configuration changes, multi-factor authentication (MFA) or password resets, or impersonate any customer support agents. Nor could it authenticate directly to any Okta accounts.
“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognise the broad toll this kind of compromise can have on our customers and their trust in Okta,” said David Bradbury, chief security officer a Okta.
Bradbury said Okta had responded “with transparency” and had engaged fully with each of the two customers impacted through SuperUser to “demonstrate our commitment to rebuilding their trust and to working alongside them to reaffirm the security of their Okta service”.
It has now provided all the customers that it initially believed to have been hit with the final forensic report, and a security action plan setting out long- and short-term proposals to improve how it goes about working with third parties – such as Sitel, which Okta has now ditched – that have access to its customer support systems.
“We recognise how vital it is to take steps to rebuild trust within our broader customer base and ecosystem,” said Bradbury. “The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents.
“That starts with reviewing our security processes and pushing for new ways to accelerate updates from third parties and internally for potential issues, both big and small. We will continue to work to assess potential risks and, if necessary, communicate with our customers as fast as we can.”
In future, third parties will have to conform to new security requirements, including the adoption of zero-trust security architectures, and that they authenticate via Okta’s own IDAM solution on all workplace applications.
It also plans to directly manage all third-party devices that access its customer support tool to improve visibility and response time, and modify the tool to limit what technical support engineers can view.
Finally, Okta is embarking on a review of its customer comms processes and plans to introduce new systems to talk to its users better about service availability and security.
“Okta’s customers are our pride, purpose and number one priority,” said Bradbury. “It pains us that, while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations.”
Lucas Budman, CEO of TruU, which has an interest as an authentication specialist, commented: “It is great to hear that Okta’s customers were less affected than assumed. However, this breach was preventable. People assume that they are protected by MFA, but the reality is that it is not truly multi.
“Passwords and second factor [2FA] technologies are easily compromised. It is time for the industry to move away from using weak forms of identification and towards truly passwordless, MFA-based authentication.”
