Okta on handling of Lapsus$ breach: ‘We made a mistake’

We are excited to bring Transform 2022 back to life on 19th July and virtually 20th July – 3rd August. Join AI and data leaders for discreet discussions and exciting networking opportunities. Learn more


Octa has issued an apology for controlling a third-party support provider’s January breach, which may have affected hundreds of its customers.

The identity security vendor “made a mistake” in its response to the incident and should have “more actively and forcefully compelled information” about what happened in the breach, the company said in an unsigned statement, as part of an FAQ posted on. Octa website today.

The apology follows a heated debate in recent days in the cybersecurity community over the lack of an octave disclosure for the two-month-old incident. The breach affected support contractor Sitel, which gave the hacker group Lapsus ક્ષમતા the ability to access up to 366 Okta customers, according to Okta.

The Octa FAQ goes further than previous public communications and says the company made incomplete choices in handling its incident – although the statement goes so far as to say that Octa believes it should have disclosed the information sooner.

“We want to admit that we made a mistake. Sitel is our service provider for which we are ultimately responsible, “the statement in FAQ said.

“In January, we did not know the extent of the Sitel problem – only that we detected and stopped the account takeover attempt and that Sitel retained a third party forensic firm to investigate. At the time, we did not recognize the risk to Octa and our customers, “the Octa statement said.” We should have more active and compelling information from Sitel. “

“In light of the evidence we have gathered over the past week, it is clear that we would have made a different decision if we had all the facts we have today,” Okta said in a statement.

The apology and explanation were formulated in response to the question, “Why didn’t Octa inform customers in January?” VentureBeat has reached out to Sitel for comment.

Slow to reveal?

The FAQ statement follows some criticism of the handling of the incident by Okta. At Tenable, a cyber security firm and Octa customer, CEO Amit Yora issued an “open letter to Octa,” stating that the seller was not only slow to disclose the incident, but also made a series of other errors in his communications.

“When you were fired by LAPSUS, you removed the incident and failed to provide customers with any actionable information,” Yora wrote.

Meanwhile, Jack Williams, a well-known cybersecurity consultant and faculty member at IANS, Wrote On Twitter, which is based on Octa’s handling of the Lapsus 3 incident, “I honestly don’t know how Octa Enterprise regains the trust of Orgas.”

Octa, a leading identity authentication and operating vendor, saw its share price fall 19.4%.

The company revealed this week that Lapsus $ accessed Sitel customer support engineer’s laptop between January 16-21, giving the intimidator access to 366 customers.

However, Octa did not disclose anything about the incident until Tuesday, and only then in response to posting screenshots on the Telegram as evidence of a Lapsus violation.

Okta CSO David Bradbury had earlier pointed a finger at Sitel for the timing of the announcement. In a blog post, Bradbury said it was “deeply disappointed” by the fact that it took Octana two months to receive a report of the incident from Seattle, which hired a cyber forensic firm to investigate. (The site declined to comment on the issue.)

Bradbury had earlier issued an apology, although the incident did not directly mention Octa’s handling. “We apologize for the inconvenience and uncertainty this may have caused,” he said in an earlier post.

The Octa CSO had earlier said that after receiving a summary report from Sitel on March 17, the company “needed to move faster to understand. [the report’s] Effects. “

The FAQ posted today does not provide new details on how customers may have been affected by the breach. Octa’s statement emphasizes that the company believes that Sitel – and therefore, Lapsus $ – will not be able to download customer databases, or create / delete users.

No evidence before January 20th

Octa’s timeline for the event begins January 20 (a timeline that was copied in the FAQ post). However, Lapsus $ was able to access the third-party support engineer’s laptop between January 16-21, Octa said, citing a forensic report. Some suggested to VentureBeat that the first few days of the breach were unaccounted for.

In the FAQ – “What happened from January 16 to January 20?” In answer to the question. – Okta indicated that it had no evidence that anything malicious was happening to Okta’s systems or customers during that period.

“On January 20, Octa saw an attempt to access the Octa network directly using a Seattle employee’s Octa account. This activity was detected and blocked by Octa, and we immediately notified Seattle as per the timeline above, ”the Octa FAQ said, adding that the company was informed of the Lapsus intrusion.

The FAQ states that “beyond that access attempt, no other evidence of suspicious activity has been found in Okta Systems.”

VentureBeat has contacted Octa for comment.

The January 20 warning was triggered by a new factor, a password, added to the Sitel employee’s octa account at the new location. Octa also says it has “reviewed” our own logs to “verify” the five-day period for intrusion.

‘Confidence’ in conclusion

In response to a question about “what data / information was accessed” during that five-day period, Okta did not provide new explanations, and reiterated previous points about the fact that support engineers at Sitel had “limited” access.

Echoing earlier statements, Okta said such third-party engineers could not create users, delete users or download customer databases.

“Support engineers are also able to reset passwords and multi-factor authentication factors for users, but are unable to select those passwords,” Okta said in the FAQ. “To take advantage of this access, the attacker will need to gain independent access to the target user’s compromised email account.”

Ultimately, “we are confident in our conclusion that the Octa service has not been breached and that no corrective action needs to be taken by our customers,” Octa said. “We are confident in this conclusion because Sitel (and therefore the threatening actor who only had access to Sitel) was unable to create or delete users or download the customer database.”

Octa added in the FAQ that it has contacted all customers who were potentially affected by the incident, and “we have also notified non-affected customers.”

Bloomberg reported Wednesday that Lapsus ને is led by a 16-year-old who lives in England with his mother. Yesterday, the BBC reported that City of London police had arrested seven teenagers in connection with the Lepus 8 group.

It is unknown at this time what he will do after leaving the post. Lapsus $ most recently posted on his telegram account earlier today.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.