3rd Party Risk Management , Governance & Risk Management , Identity & Access Management

Okta's Data Breach Debacle After Lapsus$ Attack: Postmortem

Perfect Storm: How a Minor Security Event Became a Customer Relationship Headache
Brett Winterford, regional chief security officer, APJ, Okta

Earlier this year, a group calling itself Lapsus$ went on a hacking spree, releasing source code from Microsoft and T-Mobile and data from other companies, including Samsung and Nvidia.

See Also: The Complexities of Vulnerability & Patch Management

In March, Lapsus$ claimed another high-profile victim: Okta, one of the most popular identity management vendors that counts big-name clients around the world. Lapsus$ claimed to have powerful access and published incriminating-looking screenshots that appeared to support its claim. The problem was nearly none of it was actually true (see Okta: Hackers Accessed Just 2 Customer Tenants in Breach).

But it caused major headaches for Okta, as its customers feared their identity access systems might be at risk. Luckily, those systems were not, but the optics looked bad.

"When those screenshots were published, most people took what they [Lapsus$] said on face value," says Brett Winterford, regional chief security officer with Okta in the Asia, Pacific and Japan region.

At the center of the drama was Sitel, Okta's customer support contractor. In January, Lapsus$ briefly gained access to a thin client session of a customer support engineer, but the access wasn't nearly as powerful as the group claimed.

"They were able to click around, take some screenshots," Winterford said. "They were basically able to do this shoulder surfing exercise for 25 minutes. But the actions that they attempted didn't result in any compromise or configuration changes."

Sitel hired a forensics firm to investigate the incident, but still hadn't provided the report to Okta when Lapsus$ suddenly dumped the screenshots in March. And when Sitel did send the report, it mistakenly sent it to Okta's procurement department. Winterford says Okta should have more aggressively pursued obtaining the report.

"That was a mistake," Winterford says. "We followed up on several occasions, trying to get more information. But at the end of the day, we were way too patient."

In this video interview, Winterford discusses:

  • How Okta detected the malicious activity by Lapsus$ in January;
  • Why the claims of Lapsus$ were false;
  • What security challenges companies have in dealing with third parties.

Winterford is the regional chief security officer at Okta. He advises policymakers, business leaders and fellow security professionals on evolving threats and opportunities to improve their security posture. Prior to Okta, he held a senior leadership role at Symantec and helmed security management, research and education at Commonwealth Bank. He's best known for his work as a security journalist. In 2020, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the "Risky Business" podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.