It is any organization’s nightmare: discovering that the data of hundreds of your customers had been accessible for days before you were aware of it. This nightmare only becomes worse when the criminal actors responsible begin to call your organization out via their online Telegram account and posting screenshots that seem to show their control of an administrator-level account, alerting your customers and the public of this breach at the same time. This is the horror that technology company Okta has experienced in the last few days.
What Happened?
Okta is a company that provides authentication services to hundreds of companies. Early in 2022, one of the company’s subcontractors was breached. The computer of a customer support engineer from recent Sitel acquisition Sykes was accessed for a period of five days, from January 16th until January 21st. While the Chief Security Officer of Okta, David Bradbury, said that “the potential impact to Okta customers is limited to the access that support engineers have,” the industry looked with concern at the actions taken by the company both internally and while informing the public and customers.
Okta claimed that no corrective actions needed to be taken, but stated that employees would help reset passwords for customers that “may have been impacted.” Such messaging was extremely unclear, and the waters became even muddier when Okta later announced that 366 customers had been impacted, or potentially 2.5% of the company’s customer base. Voices from the industry began to ask questions, such as why Okta’s official timeline starts on January 20th instead of the January 16th breach date, and why no actions were taken to notify customers until after the criminal organization released screenshots of the breach.
Who Breached Sitel?
The breach was claimed by Lapsus$, a cybercriminal group making waves due to some of their unconventional tactics and recent breaches of large companies, including Microsoft, Nvidia, Samsung, Ubisoft, and governmental, healthcare, and media companies. Unlike many hacking groups, Lapsus$ announces their attacks via social media channels and will publicly request to buy credentials from employees at organizations. Per Microsoft’s analysis, this group leverages knowledge of “employees, team structures, help desks, crisis response workflows, and supply chain relationships” to access companies through third party vendors to extort the breached organizations.
What To Do
While Okta has not specified exactly how it is reaching out to impacted clients, any organization that utilizes Okta for authentication should follow the lead of companies like CloudFlare and investigate their digital space.
- If you have not done so already, enable Multi-Factor Authentication on all accounts and devices that have access to your network. Review password reset requests from the last several months, and validate these with the employees who requested them. If there are discrepancies, disable the users’ access to corporate accounts, and utilize your endpoint security software solution to lock devices and force a password reset. Whenever possible, verify the reset is completed by contacting the individual.
- Ensure that all network endpoints are secure.
- As necessary, look into the security posture of your third party vendors and subcontractors and prepare to make adjustments if there are weaknesses in the security program of third parties your company works with.
- If you see a pattern of suspicious activity or have reason to believe that there has been a breach, take the necessary ethical and legal steps. Reach out to your customers and be honest, and publicly disclose the timeline of the actions you have taken to secure the data again. Comply with all legal requirements and industry best practices for informing individuals and organizations impacted, and outline what steps they should take to protect themselves.
Going Forward
The data security and cybersecurity world is constantly in motion, and all organizations need to be vigilant and flexible to keep up with the evolving digital environment. Protecting your organization’s proprietary data and customer information is paramount, and as attackers’ methods and motives change, your tools and tactics must evolve as well. Take the proper steps now to defend your data in the future.
Note: As this article is referencing ongoing investigations, publicly available details pertaining to specific crimes mentioned may alter as law enforcement and analysis proceeds. This article may not be updated to reflect every development in the cases mentioned.
About DriveStrike
Endpoint Security is an integral part of any organization’s security posture. DriveStrike provides an intuitive, effective, and integrated suite that manages encryption, remote wiping, device locking, and geolocating through an easy-to-use online console. Reach out to our team with any questions and start your free 30-day trial to begin protecting your devices and data. Your security is our priority!