UPDATE: Okta Concludes Investigation, Determines Only Two Tenants Affected

Publish Date


Cyber Alert

  • Cybersecurity
  • Cybersecurity Resources

This is an updated version from a previous article published on March 25.

On April 19th, 2022, Okta released the conclusions of their investigation into a January 2022 compromise when hackers gained access to a third-party customer support engineer’s device via a remote desktop protocol while the engineer was logged into Okta systems. The hackers had access between January 16th - January 21st before Okta terminated the session and informed the third-party provider. 

Through an investigation with internal security experts as well as a third-party cybersecurity firm, Okta determined that the threat actor took control of a single Sitel workstation (with access to Okta resources) for 25 consecutive minutes on January 21, 2022. In that timeframe, the threat actor accessed two active client tenants and is said to have viewed limited information in Slack and Jira without the ability to perform actions or make changes. Attempts to change configurations, reset passwords, bypass mutli-factor authentification (MFA), or conduct customer service “impersonation” events were not successful. The threat actor could not authenticate directly to any Okta accounts.

Investigation Timeline

January 20, 2022—Okta Security investigates an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The MFA attempt was not accepted by the user. 

January 21, 2022—Okta Service Desk joins the investigation. They terminated the user’s Okta sessions and suspended their account until a root cause could be determined. Okta communicated indicators of compromise to Sitel.

February 28, 2022—Sitel’s retained forensic firm’s investigation concludes. 

March 10, 2022—Sitel receives their forensic firm’s investigative report.

March 17, 2022—Okta receives a summary report of the compromise investigation from Sitel.

March 22, 2022—Hacker group Lapsus$ shares screenshots of Okta’s internal systems. Okta receives a full report of the compromise investigation from Sitel. Okta released a statement declaring no malicious ongoing activity was detected.

March 23, 2022—Okta updated their investigation release and determined the maximum potential impact of the compromise could affect 366 customers whose Okta tenant was accessed by Sitel.

April 19, 2022—Okta released the investigation’s conclusion.

Okta’s Response

Okta has since terminated its relationship with Sitel.

In the wake of the compromise, Okta committed to two follow-up actions:

  1. Enhancing their third-party risk management and audit procedures.
    All third-party support sub-processors who provide support services to Okta must adopt their “zero trust” security architecture. 
  2. Augmenting their customer support systems.
    Okta will manage all third-party devices that access customer support tools to reduce response times, increase transparency, and more effectively respond to cybersecurity incidents. They will also limit what information a technical support engineer can view in the support tools.

The Future of Cyber Incident Disclosures

To prevent organizations, customers, and investors from being kept in the dark about cyber incidents, the Securities and Exchange Commission (SEC) released a package of proposals to enhance cybersecurity reporting for both publicly traded companies as well as registered investment advisers

If the proposals are ratified, the projected reporting requirements are:

  • Publicly traded companies must disclose material cyber incidents within four business days, as well as disclose when a sequence of formerly undisclosed immaterial cybersecurity incidents become material.
  • Registered investment advisors must submit a Form ADV-C within 48 hours of determining that a significant cybersecurity event has happened or is currently happening.

Similarly, on March 1, the U.S. Senate pushed through the House of Representatives called the Strengthening American Cybersecurity Act, which if passed, would require critical infrastructure companies to report a cyber-attack to Cybersecurity and Infrastructure Agency (CISA) within 72 hours.

The SEC’s goal is to increase transparency around events that can affect capital markets and investment decisions. Moreover, if multiple entities report similar events, it can signal a market-wide event.

Our Guidance

As advised by President Biden on March 21st, all organizations in the private sector should “harden [their] cyber defense immediately.” Though the scope of the compromise was smaller than originally anticipated, it is critical for organizations to manage their third-party relationships before signing, throughout the working relationship, and after contract expiration. 

Organizations should focus their vendor due diligence on the vendor’s cyber program and protections, particularly around the handling and location of sensitive data. Further follow up with vendors is necessary to ensure risk findings are addressed after the due diligence phase. Organizations should consider establishing standard contractual obligations for vendors requiring notification of cybersecurity incidents and to protect infrastructure and sensitive information.

In the near-term, we recommend taking the following precautionary steps to protect your organization from compromises from third parties.

  • Monitor and review logs for suspicious activity.
  • Rotate and reset admin credentials. 
  • Communicate with your MSP about how they respond to compromises. 

How We Help

For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your consultant or contact us.