Okta CEO says Lapsus$ hack is 'Big Deal,' but doesn’t know how many customers affected

Okta Inc. doesn't yet know how many of its customers were affected by a January data breach that the company waited nearly two months to make public, Chief Executive Officer Todd McKinnon said Monday during an interview with Bloomberg Television.

Okta, which provides user authentication services, revealed last month that it had been hacked in January after a group taking responsibility for the intrusion, Lapsus$, posted screenshots that appeared to show access to Okta accounts. As the “trusted identity provider for over 15,000 companies,” McKinnon said, “anytime something like this happens, it's a big deal.”

The hackers used an unnamed competitor's software to break into a third-party call center, where about 40 people acted as support agents for Okta to provide help to customers, he said. Hackers took screenshots of what the support agents were doing on their computers and posted them, McKinnon said.

“I want to be really clear that we're responsible,” he said. “So third-party this and third-party that. It's our responsibility to make sure this stuff doesn't happen.”

McKinnon said as many as 366 customers were potentially affected, but the investigation hasn't yet determined the exact number.

While Okta learned about the security incident in January, the San Francisco-based company confirmed the compromise on March 22, after Lapsus$ hackers went public with evidence of a breach. The delay was “unacceptable,” McKinnon said Monday, adding that the “communication was not as clear as it should have been.” 

But he said an initial investigation in January didn't reveal the extent of the incident.

“For all intents and purposes, the first time we knew about the severity of this and what hackers actually got, was on March 22,” he said. He said the technical impact to the customers – what they need to do, what disclosures they need to make –  is “near zero.”

Okta also is preparing to release a report to customers including more details about the incident, he said. The company no longer works with the call center where the compromise occurred. 

“We are a trusted brand and that trust has been damaged,” McKinnon said. 

Sitel Group, the third party at the center of the breach, said in a statement Monday that it “took swift action to contain the incident and to protect any potentially impacted clients.” The company also said that it enlisted the services of a global cybersecurity firm to conduct an investigation and would continue to work with the firm to evaluate other potential risks. In a March 29 statement, Sitel Group said that it had traced the breach to another firm it had acquired in August 2021. 

As a result of its assessments, “we are confident there is no longer a security risk,” the company said in the statement Monday.