The IT Nerd

Okta in the wake of being pwned by the LAPSUS$ hacking gang have released a statement with their version of events. And to be frank, none of it sounds good. Here’s the rundown:

• The hack actually took place in January.
• The security breach stemmed from someone gaining access to the credentials of a support engineer employed by a sub-contractor, Sitel.
• Those credentials were then used to access up to 366 client accounts.
• The company managed to suspend the engineer’s account within 70 minutes of the hack being detected.
• The subsequent forensic analysis took more than two months.
• The company didn’t really grasp the implications of this hack until much, much later.

Clearly the response to this incident by Okta isn’t as good as it could have been. And the company pretty much says that. The problem is that LAPSUS$ now have leaked data and 366 clients are now sweating buckets because they are wondering if they are going to be the next to get pwned by LAPSUS$.

Thus the takeaways are as follows:

• Your internal incident response has to be on point. In this case, it seems that this was true.
• If you have contractors and sub-contractors working for you, their security has to be on point. In this case, it sounds like that was not the case with Sitel.
• Your review of the incident has to go much quicker so that you have a full picture of what happened and what the implications are as quickly as possible.

Okta says that they will learn from this. And I would suggest that other companies look at this incident and plan accordingly based on how this one went.

This entry was posted on March 23, 2022 at 10:56 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.