Okta now manages third-party devices accessing its customer support tools

Identity and access management provider Okta says a cyber attacker accessed data from just two customers, not 366 as originally feared, after a computer at a support provider was hacked third party by the Lapsus dollar extortion gang.

In a report on Wednesday, Okta security chief David Bradbury said the January attack on customer service provider Sitel lasted just 25 minutes. “During this limited window of time, the threat actor accessed two active client tenants in the SuperUser app (which we notified separately) and accessed limited additional information in certain other apps like Slack and Jira which do not cannot be used to perform actions in Okta tenant clients,” he wrote.

Threat actor was unable to successfully perform Okta configuration changes, multi-factor authentication password resets, or customer support “impersonation” events , Bradbury said. The attacker was also unable to authenticate directly to Okta accounts.

Among a number of steps taken to improve customer confidence, Okta is ending its relationship with Sykes/Sitel and will now directly manage all third-party devices that access its customer support tools.

A section titled “Lessons Learned” included three categories:

1. Third-party risk management:

  • Okta said it is strengthening its procedures for auditing its sub-processors and will confirm that they comply with its new security requirements. “We will require contractors providing support services on behalf of Okta to adopt ‘Zero Trust’ security architectures,” the report states, “and authenticate through Okta’s IDAM solution. Okta for all workplace applications.

2. Access to customer support systems:

  • Okta will now directly manage all third-party devices that access its customer support tools, providing the visibility needed to effectively respond to security incidents without relying on a third party. “This will allow us to significantly reduce response times and report to customers with greater certainty of actual impact, rather than potential impact,” the report says.
  • The company is making further changes to its customer support tool to narrowly limit the information a support engineer can view. These changes also provide greater transparency on when this tool is used in customer admin consoles (via the system log), he said.

3. Customer communication: Okta is reviewing its communication processes and will adopt new systems to communicate more quickly with customers about security and availability issues.

“It pains us,” Bradbury wrote, “that while Okta’s technology excelled during the incident, our efforts to communicate Sitel’s events fell short of our own and our customers’ expectations. .”

Last month, Bradbury admitted that Okta should have acted more quickly to obtain Sitel’s full report on the cyberattack. The summary he saw led Okta to downplay the significance of the attack. It wasn’t until the Lapsus$ gang posted screenshots of the customer data they saw that Okta realized the possible issues.

Joseph P. Harris