New Lapsus$ Hack Documents Make Okta’s Response Look More Bizarre

In the week since the digital extortion group Lapsus$ first revealed that it had breached the identity management platform Okta through one of the company’s subprocessors, customers and organizations across the tech industry have been scrambling to understand the true impact of the incident. The subprocessor, Sykes Enterprises, which is owned by the business services outsourcing company Sitel Group, confirmed publicly last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel’s initial breach notification to customers, which would include Okta, on January 25, as well as a detailed “Intrusion Timeline” dated March 17.

The documents raise serious questions about the state of Sitel/Sykes’ security defenses prior to the breach, and they highlight apparent gaps in Okta’s response to the incident. Sitel declined to comment about the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED.

Okta said in a statement, “We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident. … Its content is consistent with the chronology we have disclosed regarding the January 2022 compromise at Sitel.” The company added, “Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident.”

When the Lapsus$ group published screenshots claiming it had breached Okta on March 21, the company says that it had already received Sitel’s breach report on March 17. But after sitting with the report for four days, Okta seemed to be caught flat-footed when the hackers took the information public. The company even initially said, “The Okta service has not been breached.” WIRED has not seen the complete report, but the “Intrusion Timeline” alone would presumably be deeply alarming to a company like Okta, which essentially holds the keys to the kingdom for thousands of major organizations. Okta said last week that the “maximum potential impact” of the breach reaches 366 customers.

The timeline, which was seemingly produced by security…