Identity and access management provider Okta says a cyber attacker accessed the data of only two customers, not 366 as originally feared, after the hacking of one computer at a third-party support supplier by the Lapsus$ extortion gang.
In a report Wednesday, Okta chief security officer David Bradbury said the January attack on customer support provider Sitel lasted only 25 minutes. “During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” he wrote.
The threat actor was unable to successfully perform any Okta configuration changes, multifactor authentication password resets or customer support “impersonation” events, Bradbury said. Nor was the attacker able to authenticate directly to any Okta accounts.
Among a number of moves being made to improve customer trust, Okta is terminating its relationship with Sykes/Sitel, and will now directly manage all devices of third parties that access its customer support tools.
A section entitled “Lessons Learned,” included three categories:
1. Third-party risk management:
- Okta said it is strengthening its audit procedures of its sub-processors and will confirm they comply with its new security requirements. “We will require that sub-processors who provide Support Services on Okta’s behalf adopt ‘Zero Trust’ security architectures,” the report says, “and that they authenticate via Okta’s IDAM solution for all workplace applications.”
2. Access to customer support systems:
- Okta will now directly manage all devices of third parties that access its customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. “This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact,” the report said.
- The company is making further modifications to its customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles (via System Log), it said.
3. Customer communications: Okta is reviewing its communications processes and will adopt new systems to communicate more rapidly with customers on security and availability issues.
“It pains us,” Bradbury wrote, “that while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations.”
Last month Bradbury admitted that Okta should have moved faster to get the full report from Sitel about the cyberattack. The summary it saw led Okta to initially downplay the attack. It was only when the Lapsus$ gang published screenshots of the customer data it saw did Okta realize the possible problems.