Okta, who has a business relationship with Sitel, says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network.
The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, two months after the hackers first gained access to its network.
The breach was initially blamed on an unnamed subprocessor that provides customer support services to Okta. In an updated statement on Wednesday, Okta’s chief security officer David Bradbury confirmed the subprocessor is a company called Sykes, which was acquired by Miami-based contact center giant Sitel last year.
Customer support companies like Sykes and Sitel often have broad access to support organizations to facilitate customer requests. Malicious hackers have previously targeted customer support companies, which often have weaker cybersecurity defenses than some of the highly-secured companies they support. Microsoft and Roblox have both experienced similarly targeted compromises of customer support agents’ accounts that led to access to their internal systems.
In Okta’s case, the Lapsus$ hackers were in Sitel’s network for five days over January 16-21, 2022, until the hackers were detected and booted from its network, according to Bradbury.
Okta faced considerable criticism from the wider security industry for its handling of the compromise and the months-long delay in notifying customers, which found out at the same time when news broke on social media. According to Bradbury, Sitel engaged an unnamed forensics firm to investigate, which concluded on March 10. Only a week later was the report turned over to Okta on March 17.
Bradbury said he is “greatly disappointed by the long period that transpired between our notification to Sitel and the issuance of the complete investigation report” and admitted that Okta “should have moved more swiftly” to understand the report’s implications.
But an email from a Sitel representative disputed how Okta characterized the report, saying that the security breach “did not impact legacy Sitel Group systems or networks; only legacy Sykes’ network was affected.” (The Sitel representative declared their email “off the record,” which requires both parties to agree to the terms in advance. We are printing the responses since we were given no opportunity to decline.) The email added: “We have not found evidence of a security breach of client’s systems or networks on legacy Sykes or Sitel Group side.” The email also said that Sitel has no evidence of a data breach, but the company declined to say if it has the means, such as logs, to determine what data was accessed or exfiltrated by the attackers. Sitel would not name the forensics firm that investigated the breach.
An earlier statement attributed to Sitel spokesperson Rebecca Sanders said: “As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk. We cannot comment on our relationship with any specific brands or the nature of the services we provide for our clients.”