Tenable's chairman and CEO says Okta should have notified customers much sooner.

Edward Gately, Senior News Editor

March 25, 2022

4 Min Read
Data breach

An Okta data breach by the Lapsus$ hacking group may have impacted up to 366 corporate customers, or 2.5% of the company’s customer base.

That’s according to David Bradbury, Okta’s chief security officer. He provided an update on Okta’s investigation in a blog.

The Okta data breach stems from a security incident that took place in January.

According to Reuters, British police have arrested seven people following a series of hacks by the Lapsus$ hacking group, which targeted major firms including Okta and Microsoft. The police haven’t filed formal charges pending investigation.

Amit Yoran, Tenable‘s chairman and CEO, wrote a scathing open letter to Okta posted on LinkedIn.


Tenable’s Amit Yoran

“Like many of you, the first question I asked myself after learning of the Okta breach was, are we exposed?” he said. “That’s an incredibly simple, but crucial question — one that Okta customers should have had the chance to ask themselves two months ago when the company first discovered the compromise. Two months is too long.”

Okta should have disclosed the compromise when it detected it in January or after a competent and timely forensic analysis, Yoran said.

Data Breach Traced to Sub-Processor

Okta uses several sub-processors to expand its workforce, Bradbury said. These entities help Okta deliver for its customers and make them successful with its products. Sitel is an Okta sub-processor. It provides Okta with contract workers for its customer support organization.


Okta’s David Bradbury

“On Jan. 20, the Okta security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account,” he said. “This factor was a password.”

This week, Lapsus$ shared screenshots of internal information, Bradbury said. Okta determined the screenshots were related to the January incident at Sitel.

‘Greatly Disappointed’ in Sitel

Okta this week received the complete investigation report from Sitel. Bradbury said he’s “greatly disappointed” in how long Sitel took to send the report.

“Upon reflection, once we received the Sitel summary report, we should have moved more swiftly to understand its implications,” he said.

Okta‘s investigation determined the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer that an attacker had obtained remote access using remote desktop protocol (RDP).

Sitel owns and manages the device, Bradbury said.

“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine, and is using the mouse and keyboard,” he said.

The attacker never gained access to the Okta service via account takeover, Bradbury said. However, the attacker compromised a machine logged into Okta. Therefore the attacker obtained screenshots and control of the machine through the RDP session.

Limited Access

Support engineers have limited access, Bradbury said.

“While it is not a necessary step for customers, we fully expect they may want to complete their own analysis, he said. “For transparency, these customers will receive a report that shows the actions performed on their Okta tenant by Sitel during that period of time. We think this is the best way to let customers assess the situation for themselves.”

The attackers didn’t breach Okta’s service and it and remains fully operational, Bradbury said. There are no corrective actions that need to be taken by customers.

“Support engineers use a number of customer support tools to get their job done including Okta’s instances of Jira, Slack, Splunk, RingCentral, and support tickets through Salesforce,” he said.

Support engineers perform most tasks using an internally-built application called SuperUser or SU for short, Bradbury said.

“This does not provide ‘god-like access’ to all its users,” Bradbury said.

The application grants only the specific access support engineers require to perform their roles.

Support engineers can’t create or delete users, Bradbury said. They also can’t download customer databases or access Okta source code repositories.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like