Okta Admits ‘Mistake’ Waiting Two Months Before Breach Admission

Authentication specialist Okta continues to face criticism from some quarters, of its clumsy handling of a data breach by the Brazilian-based hacking group Lapsus$.

The San Francisco-based firm provides authentication services for corporates including Fedex and Moody’s to provide access to their networks.

But Okta’s handling of the data breach has not pleased some. Last week he extortionist group Lapsus$ posted screenshots on its Telegram channel of what it claimed was internal Okta information.

Data breach

At first the firm denied it was breached, and said the alleged hack could be related to a previously undisclosed incident in January which had since been contained.

The fact that it took the firm over two months to notify people of that incident, coupled with chief security officer, David Bradbury insisting that there was “no corrective actions that need to be taken by our customers,” did not go down well in some quarters.

There were questions whether Okta would have ever notified customers if Lapsus$ had not begun bragging about the incident on Telegram last week.

Matters were not helped when days later, Okta then admitted that 2.5 percent of its customers were potentially impacted in the breach.

Okta claims to have more than 15,000 customers in total, so if 2.5 percent compromise figure is correct, it could mean that up to 366 organisations must investigate logins to their systems.

In its defence, Okta claims it only received a summary of the incident report from Sitel on 17 March and a copy of the full report on 22March.

Made a mistake

Last Friday Okta released a FAQ, in which it came close, but didn’t actually apologise or say sorry, only that it made a mistake.

“On January 20, Okta saw an attempt to directly access the Okta network using a Sitel (a forensic firm) employee’s Okta account. This activity was detected and blocked by Okta, and we promptly notified Sitel, per the timeline above,” Okta stated.

So why didn’t Okta notify customers of the incident in January?

“We want to acknowledge that we made a mistake,” the firm said. “Sitel is our service provider for which we are ultimately responsible.”

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,” it said. “At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.”

“In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today,” Okta said.

Lapsus$ arrests

Okta said it has “reached out to all customers who have been potentially impacted. In addition, we have also notified non-impacted customers.”

Last week the City of London Police arrested seven people connected to Lapsus$, apparently including a 16-year-old living at his mother’s house near Oxford, England.

The seven people were then released as the investigation into the attacks on Okta, as well as Microsoft, Nvidia, Samsung and others continues.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

2 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

2 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

3 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

19 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

20 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

21 hours ago