Okta says hundreds of companies impacted by security breach

Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network.

The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.

The breach was initially blamed on an unnamed subprocessor that provides customer support services to Okta. In an updated statement on Wednesday, Okta’s chief security officer David Bradbury confirmed the subprocessor is a company called Sykes, which last year was acquired by Miami-based contact center giant Sitel.

Customer support companies like Sykes and Sitel often have wide access to the organizations that they support for facilitating customer requests. Malicious hackers have previously targeted customer support companies, which often have weaker cybersecurity defenses than some of the highly-secured companies that they support. Microsoft and Roblox have both experienced similar targeted compromises of customer support agents’ accounts that led to access of their internal systems.

In Okta’s case, the Lapsus$ hackers were in Sitel’s network for five days over January 16-21, 2022 until the hackers were detected and booted from its network, according to Bradbury.

Okta faced considerable criticism from the wider security industry for its handling of the compromise and the months-long delay in notifying customers, which found out at the same time when news broke on social media. According to Bradbury, Sitel engaged an unnamed forensics firm to investigate, which concluded on March 10. Only a week later was the report turned over to Okta on March 17.

Bradbury said he is “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” and admitted that Okta “should have moved more swiftly” to understand the report’s implications.

But an email from a Sitel representative disputed how Okta characterized the report, saying that the security breach “did not impact legacy Sitel Group systems or networks; only legacy Sykes’ network was affected.” (The Sitel representative declared their email “off the record,” which requires both parties to agree to the terms in advance. We are printing the responses since we were given no opportunity to decline.) The email added: “We have not found evidence of a security breach of client’s systems or networks on legacy Sykes or Sitel Group side.” The email also said that the Sitel has no evidence of a data breach, but the company declined to say if it has the means, such as logs, to determine what, if any, data was accessed or exfiltrated by the attackers. Sitel would not name the forensics firm that investigated the breach.

An earlier statement attributed to Sitel spokesperson Rebecca Sanders said: “As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk. We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”

Okta has not yet responded to TechCrunch’s questions regarding the breach.