Okta discusses Lapsus$ security breach

Hacking group Lapsus$ has already had an eventful year, after breaching the security of Nvidia, Microsoft, and Samsung.

While these breaches did target large companies, the motives of the group weren’t always clear. At times Lapsus$ asked for a financial ransom, but the group also asked for open-source (free to access) information about the latest products.

One of the most concerning attacks made by the group was against Okta. Okta is an authentication company that is used by more than 15,000 organizations, and in January it was breached by Lapsus$.

The company was initially slow to tell customers about the situation and has since apologized to its customers in a blog post last month. Since then, Okta has concluded its investigation of the attack.

Customers will be relieved that only 2.5% of customers were impacted by the breach.

Okta’s findings

In a statement, David Bradbury, chief security officer at Okta, explained: “After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.

“We have identified those customers and already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.

“Our customers are our pride, purpose, and #1 priority. We take our responsibility to protect and secure customers’ information very seriously. We deeply apologize for the inconvenience and uncertainty this has caused.”

Okta also detailed what they knew about the attack. The company shared that the “threat actor” actively had control of an individual workstation that was used by a Sitel support engineer, with access to Okta resources.

The breach lasted for 25 consecutive minutes on January 21, 2022 and during this time the group accessed two active customers and viewed data from the SuperUser application as well as “limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.”

The hackers were ultimately unable to perform any configuration changes or authenticate any Okta accounts.

Lessons learned

Okta is now investing in third-party risk management and improving its audit procedures, ensuring compliance with security requirements. Additionally, Okta has terminated its relationship with Sykes/Sitel.

The company is also modifying its customer support to reduce wait times and give great certainty to customers. Okta will also review its customer communications process to deliver a better service.

This incident highlights the need for every organization to provide training on security and compliance, but many will be pleased that the threat presented from Okta’s breach has been relatively small.

Bradbury noted: “We conclude this investigation with a far stronger partnership and a sense of a shared journey with our customers.

“We recognize how critical Okta is to so many organizations and the individuals who rely on them, and are more determined than ever to deliver for them.”