Okta Admits ‘Mistake’ Waiting Two Months Before Breach Admission

Oops Sorry Fail - Shutterstock - © Gunnar Pippel

Amid criticism of its response, Okta now admits it “made a mistake” and says it “would have made a different decision” over its lengthy breach admission

Authentication specialist Okta continues to face criticism from some quarters, of its clumsy handling of a data breach by the Brazilian-based hacking group Lapsus$.

The San Francisco-based firm provides authentication services for corporates including Fedex and Moody’s to provide access to their networks.

But Okta’s handling of the data breach has not pleased some. Last week he extortionist group Lapsus$ posted screenshots on its Telegram channel of what it claimed was internal Okta information.

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Data breach

At first the firm denied it was breached, and said the alleged hack could be related to a previously undisclosed incident in January which had since been contained.

The fact that it took the firm over two months to notify people of that incident, coupled with chief security officer, David Bradbury insisting that there was “no corrective actions that need to be taken by our customers,” did not go down well in some quarters.

There were questions whether Okta would have ever notified customers if Lapsus$ had not begun bragging about the incident on Telegram last week.

Matters were not helped when days later, Okta then admitted that 2.5 percent of its customers were potentially impacted in the breach.

Okta claims to have more than 15,000 customers in total, so if 2.5 percent compromise figure is correct, it could mean that up to 366 organisations must investigate logins to their systems.

In its defence, Okta claims it only received a summary of the incident report from Sitel on 17 March and a copy of the full report on 22March.

Made a mistake

Last Friday Okta released a FAQ, in which it came close, but didn’t actually apologise or say sorry, only that it made a mistake.

“On January 20, Okta saw an attempt to directly access the Okta network using a Sitel (a forensic firm) employee’s Okta account. This activity was detected and blocked by Okta, and we promptly notified Sitel, per the timeline above,” Okta stated.

So why didn’t Okta notify customers of the incident in January?

“We want to acknowledge that we made a mistake,” the firm said. “Sitel is our service provider for which we are ultimately responsible.”

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,” it said. “At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.”

“In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today,” Okta said.

Lapsus$ arrests

Okta said it has “reached out to all customers who have been potentially impacted. In addition, we have also notified non-impacted customers.”

Last week the City of London Police arrested seven people connected to Lapsus$, apparently including a 16-year-old living at his mother’s house near Oxford, England.

The seven people were then released as the investigation into the attacks on Okta, as well as Microsoft, Nvidia, Samsung and others continues.