Okta Concludes its Investigation Into the January 2022 Compromise
David Bradbury April 19, 2022
We have concluded our investigation into the January 2022 compromise of our third-party vendor.
At the outset of our investigation, we focused on a five-day window of time, between January 16 and 21, when the third-party forensic firm, engaged by our vendor Sitel, indicated that the threat actor had access to their environment. Based on that window of time, we determined that the maximum potential impact of the incident was 366 Okta customers whose tenants were accessed by any Sitel customer support engineer within that time.
As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022.
The final forensic report of the globally recognized cybersecurity firm we engaged concluded that:
- The threat actor actively controlled a single workstation, used by a Sitel support engineer, with access to Okta resources.
- Control lasted for 25 consecutive minutes on January 21, 2022.
- During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.
- The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events.
- The threat actor was unable to authenticate directly to any Okta accounts.
While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta.
Working with our customers
As Okta first became aware that the threat actor had successfully taken screenshots on March 21, 2022, we responded with transparency, sharing what we knew at the time. On March 22, 2022, we began notifying the maximum number of potentially impacted customers, which we scoped by examining all of the access performed by all Sitel employees to the SuperUser application during the 5-day window. We have shared logs from the SuperUser app with each of these customers, and held meetings that included Okta Security staff to help customers understand their log data. We have done this to demonstrate our commitment to rebuilding their trust and to working alongside them to reaffirm the security of their Okta service.
Now that we have reached the conclusion of our investigation, we have provided the Okta customers we initially believed to be impacted with the following two documents:
- The final forensic report, prepared for Okta by a globally recognized cybersecurity forensic firm.
- The Okta Security Action Plan, which outlines Okta’s short and long term steps to strengthen the security of our third-party processors with access to customer support systems.
Beyond those potentially impacted organizations, we recognize how vital it is to take steps to rebuild trust within our broader customer base and ecosystem. The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents. That starts with reviewing our security processes and pushing for new ways to accelerate updates from third parties and internally for potential issues, both big and small. We will continue to work to assess potential risks and, if necessary, communicate with our customers as fast as we can.
We have also committed to taking action on a number of fronts:
1. Third-party risk management:
- Okta is strengthening our audit procedures of our sub-processors and will confirm they comply with our new security requirements. We will require that sub-processors who provide Support Services on Okta's behalf adopt “Zero Trust” security architectures and that they authenticate via Okta’s IDAM solution for all workplace applications.
- Okta has terminated its relationship with Sykes/Sitel.
2. Access to customer support systems:
- Okta will now directly manage all devices of third parties that access our customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact.
- We are making further modifications to our customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles (via System Log).
3. Customer communications: We are reviewing our communications processes and will adopt new systems that help us to communicate more rapidly with customers on security and availability issues.
The path ahead
Okta’s customers are our pride, purpose, and #1 priority. It pains us that, while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations.
Okta’s leadership team has met with thousands of customers over the past few weeks to talk through our response directly.
We conclude this investigation with a far stronger partnership and a sense of a shared journey with our customers. We recognize how critical Okta is to so many organizations and the individuals who rely on them, and are more determined than ever to deliver for them.