Questions and Answers Regarding Recent Okta Security Incident

screen shot of okta home page
Published | March 25, 2022

Okta, the identity and access management company W&L uses to secure user authentication into university applications through the MyApps single sign-on page has been in the news recently due to a security incident. Over a five day window earlier this year (January 16 – 21, 2022), a threat actor gained access to a sub-processor firm’s Okta account. Following the leak of screenshots by the LAPSUS$ hacking group that appear to confirm a data breach, many of Okta’s customers have questioned the impact the recent compromise will have on their own systems and networks.

We have confirmed that W&L is NOT among those impacted by the breach and no corrective action is required by ITS or our campus users.

Details of the Incident

According to David Bradbury, Chief Security Officer at Okta, a customer support engineer’s laptop was the source of the intrusion. The device was “owned and managed by Sitel Group”, one of Okta’s sub-processors. An attacker was able to gain remote access to the engineer’s laptop and secure screenshots of customer information. Okta was able to confirm the attacker did not gain access to the Okta service, but rather a layer that exists outside of full access rights and privileges.

Fortunately, it appears the sub-processor’s use of multi-factor authentication triggered an alert when the hackers attempted to create an addition to the user’s MFA account, denying further entry into the Okta service. W&L uses a similar layered approach to security by requiring all users to enroll in Duo MFA to gain single sign-on access to university applications.

What is an Okta Sub-Processor?

According to disclosures provided on Okta’s public-facing website, “sub-processors are entities that have received authorization by Okta, Inc. to process Customer Data and assist Okta with respect to the provision of the applicable Service under the Okta Master Subscription”.

Who is Impacted by the Breach?

After a forensic analysis, it was determined that up to 366 customers may have been impacted by hack. These customers have been contacted and will be receiving an incident report with additional details. Further, we have confirmed that W&L is NOT among those impacted by the breach and no corrective action is required by ITS or our campus users.

Should you have additional questions about this issue, please contact the ITS Helpdesk at X4357 or help@wlu.edu.

You may also like…