Okta now manages devices of third parties accessing its customer support tools

Share post:

Identity and access management provider Okta says a cyber attacker accessed the data of only two customers, not 366 as originally feared, after the hacking of one computer at a third-party support supplier by the Lapsus$ extortion gang. In a report Wednesday, Okta chief security officer David Bradbury said the January attack on customer support provider Sitel lasted only 25 minutes. “During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” he wrote. The threat actor was unable to successfully perform any Okta configuration changes, multifactor authentication password resets or customer support “impersonation” events, Bradbury said. Nor was the attacker able to authenticate directly to any Okta accounts. Among a number of moves being made to improve customer trust, Okta is terminating its relationship with Sykes/Sitel, and will now directly manage all devices of third parties that access its customer support tools. A section entitled “Lessons Learned,” included three categories: 1. Third-party risk management:
  • Okta said it is strengthening its audit procedures of its sub-processors and will confirm they comply with its new security requirements. “We will require that sub-processors who provide Support Services on Okta’s behalf adopt ‘Zero Trust’ security architectures,” the report says, “and that they authenticate via Okta’s IDAM solution for all workplace applications.”
2. Access to customer support systems:
  • Okta will now directly manage all devices of third parties that access its customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. “This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact,” the report said.
  • The company is making further modifications to its customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles (via System Log), it said.
3. Customer communications: Okta is reviewing its communications processes and will adopt new systems to communicate more rapidly with customers on security and availability issues. “It pains us,” Bradbury wrote, “that while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations.” Last month Bradbury admitted that Okta should have moved faster to get the full report from Sitel about the cyberattack. The summary it saw led Okta to initially downplay the attack. It was only when the Lapsus$ gang published screenshots of the customer data it saw did Okta realize the possible problems. The post Okta now manages devices of third parties accessing its customer support tools first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Canadian group gets $2.2 million to research AI threat detection for wireless networks

Ericsson Canada and three universities have been awarded funds by the National Cybersecurity

Cyber Security Today, Nov. 29, 2023 – More ransomware attacks on the healthcare sector

This episode reports on a company hit twice by a ransomware gang, the arrest in Ukraine of the alleged head of a ransomware gang

Compel social media apps to toughen their privacy, trust practices, Parliament told

Committee hearing told social media apps can be exploited for propaganda and radi

Canada, U.S. sign international guidelines for safe AI development

Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended guidelines to developers in their nations for the secure design, development, deployment, and operation of artificial intelligent systems. It’s the latest in a series of voluntary guardrails that nations are urging their public and private sectors to follow for overseeing AI in

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways