Sitel blames Okta breach on ‘legacy’ network from acquisition

Sitel, the company at the center of a wide-ranging data breach affecting popular access management provider Okta, cited a legacy network from a recent acquisition as the cause of the security incident. 

The company has faced significant backlash since Okta revealed that it notified them of the breach in January and had to wait until March before a full report on the incident was compiled and sent. 

Before the report was released and customers were informed, extortion group Lapsus$ released data from Okta that was obtained through the compromise of Sitel’s systems. 

In a statement this week, Sitel said they traced the breach back to a legacy network of Sykes Enterprises, a company Sitel acquired in August 2021. Sitel said it was releasing the statement because they feel some facts “have been portrayed inaccurately in recent media coverage.”

“Late on January 20, 2022, Sitel Group was made aware of a security incident affecting a portion of the legacy Sykes network only. Following this security incident, Sitel Group took swift action to contain the attack and to notify and protect any potentially impacted clients who were serviced by the legacy organization,” the company said. 

“The next morning, on January 21, 2022, Sitel Group issued client-facing communications to notify customers who were possibly impacted by this incident.”

The Record reached out to Sitel following their disclosure, asking how many other clients besides Okta were impacted by the breach. On its website, the company says it works in at least 40 countries and has more than 700 deals with customer brands. 

Rebecca Sanders, director of global communications for Sitel, said in an email that the company had “nothing further to add at this time.”

Security researcher Bill Demirkapi released a copy of a report that he said was compiled by cybersecurity firm Mandiant about the breach, highlighting the step-by-step process Lapsus$ hackers used to gain access to Sitel’s systems. 

New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N https://t.co/z05uQYclg9 pic.twitter.com/e0T4EdWPxT

— Bill Demirkapi (@BillDemirkapi) March 28, 2022

According to the documents, the hackers exploited CVE-2021-34484 before using off-the-shelf tools from GitHub to bypass the company’s FireEye endpoint agent. From there, the hackers downloaded popular credential dumping utility Mimikatz and created backdoor users into Sitel's environment after gaining access to an Excel document titled "DomAdmins-LastPass.xlsx."

Sitel denied that the spreadsheet had anything to do with the breach.

“Several media articles have falsely alleged that a spreadsheet was disclosed that contained compromised passwords and contributed to the security incident. This ‘spreadsheet’ identified in recent news articles simply listed account names from legacy Sykes but did not contain any passwords,” the company said. 

“The only reference to passwords in the spreadsheet was the date in which passwords were changed per listed account; no passwords were included in this spreadsheet. Such information is inaccurate and misleading and did not contribute to the incident.”

They went on to say that they are working with law enforcement on the issue and will not release any more information about the situation. 

Sitel also denied that it had left its clients in the dark, arguing that it was in “ongoing and regular communications with the customers who may have been impacted” by the incident.

Emsisoft threat analyst Brett Callow said the identity of the other clients and the extent to which they may have been impacted is not known at this point, but noted that “Sitel’s statement would appear to imply that Okta was not the only one of the companies’ clients to be impacted.”