“We want to acknowledge that we made a mistake,” identity authentication company Okta said Friday regarding a two-month delay in notifying customers about a compromised account at a third-party contractor that potentially exposed customers to risk.
The statement came on a frequently asked questions page that included a timeline for the incident at the customer service contractor Sitel in January and provided more details about Okta’s response. Security experts and customers widely criticized Okta last week for not being more transparent about what happened.
“Sitel is our service provider for which we are ultimately responsible,” Okta said.
Okta did not publicly comment on the intrusion until March 22, after the cybercrime group Lapsus$ posted screenshots showing access to some aspects of the company’s network.
“On January 20, 2022, the Okta Security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account. This factor was a password,” Okta said Friday. “Although that individual attempt was unsuccessful, out of an abundance of caution, we reset the account and notified Sitel, a third-party vendor that helps us provide customer support, and Sitel engaged a leading forensic firm to perform an investigation.”
Okta has not named the company hired to conduct the investigation. According to the timeline, the report was finished Feb. 28 and delivered to Sitel on March 10. Okta received its summary on March 17. TechCrunch reported Monday that incident response company Mandiant provided Okta with that document. Security researcher Bill Demirkapi later tweeted screenshots from what he claimed to be the document.
Okta said that in January, all it knew is that its own team had detected a problem at Sitel, and that the contractor had taken steps to respond.
“At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,” Okta said. “In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
Okta said last week that as many as 366 customers — of the thousands that it serves worldwide — were potentially affected. In Friday’s post, it said it has contacted the customers and is continuing to investigate.
“The potential impact to Okta customers is limited to the access that support engineers have” at a contractor like Sitel, Okta said.
Okta reported last week that the intrusion began Jan. 16. Friday the company said it appears that Sitel’s response stopped it completely after Jan. 20.
“We are confident that the activity was constrained to this five-day period because the forensic report from Sitel’s vendor (a leading forensic firm) confirmed this time period, and we verified the time period by reviewing our own logs,” Okta said.