Cybercrime

Sitel blames Okta breach on ‘legacy’ network from acquisition

Sitel, the company at the center of a wide-ranging data breach affecting popular access management provider Okta, cited a legacy network from a recent acquisition as the cause of the security incident. 

The company has faced significant backlash since Okta revealed that it notified them of the breach in January and had to wait until March before a full report on the incident was compiled and sent. 

Before the report was released and customers were informed, extortion group Lapsus$ released data from Okta that was obtained through the compromise of Sitel’s systems. 

In a statement this week, Sitel said they traced the breach back to a legacy network of Sykes Enterprises, a company Sitel acquired in August 2021. Sitel said it was releasing the statement because they feel some facts “have been portrayed inaccurately in recent media coverage.”

“Late on January 20, 2022, Sitel Group was made aware of a security incident affecting a portion of the legacy Sykes network only. Following this security incident, Sitel Group took swift action to contain the attack and to notify and protect any potentially impacted clients who were serviced by the legacy organization,” the company said. 

“The next morning, on January 21, 2022, Sitel Group issued client-facing communications to notify customers who were possibly impacted by this incident.”

The Record reached out to Sitel following their disclosure, asking how many other clients besides Okta were impacted by the breach. On its website, the company says it works in at least 40 countries and has more than 700 deals with customer brands. 

Rebecca Sanders, director of global communications for Sitel, said in an email that the company had “nothing further to add at this time.”

Security researcher Bill Demirkapi released a copy of a report that he said was compiled by cybersecurity firm Mandiant about the breach, highlighting the step-by-step process Lapsus$ hackers used to gain access to Sitel’s systems. 

According to the documents, the hackers exploited CVE-2021-34484 before using off-the-shelf tools from GitHub to bypass the company’s FireEye endpoint agent. From there, the hackers downloaded popular credential dumping utility Mimikatz and created backdoor users into Sitel’s environment after gaining access to an Excel document titled “DomAdmins-LastPass.xlsx.”

Sitel denied that the spreadsheet had anything to do with the breach.

“Several media articles have falsely alleged that a spreadsheet was disclosed that contained compromised passwords and contributed to the security incident. This ‘spreadsheet’ identified in recent news articles simply listed account names from legacy Sykes but did not contain any passwords,” the company said. 

“The only reference to passwords in the spreadsheet was the date in which passwords were changed per listed account; no passwords were included in this spreadsheet. Such information is inaccurate and misleading and did not contribute to the incident.”

They went on to say that they are working with law enforcement on the issue and will not release any more information about the situation. 

Sitel also denied that it had left its clients in the dark, arguing that it was in “ongoing and regular communications with the customers who may have been impacted” by the incident.

Emsisoft threat analyst Brett Callow said the identity of the other clients and the extent to which they may have been impacted is not known at this point, but noted that “Sitel’s statement would appear to imply that Okta was not the only one of the companies’ clients to be impacted.”

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Ransomware attack on Indianapolis Housing Agency leaks sensitive info on 200,000 residents

The Indianapolis Housing Agency is notifying more than 200,000 people that their information, including Social…

9 hours ago

New York’s Andrew Garbarino takes helm of House’s cybersecurity subcommittee

New York Republican Andrew Garbarino has been chosen as the new chairman of the House's…

10 hours ago

TSA issues security directive to airports, carriers after ‘no-fly’ list leak

The Transportation Security Administration has issued a security directive to all U.S. airports and air…

12 hours ago

Russian foreign ministry claims to be the target of ‘coordinated’ cyber aggression

Russia’s deputy foreign minister claimed this weekend that the country has been the target of…

16 hours ago

British retailer JD Sports reveals 2-year-old intrusion affecting data of 10 million customers

British sportswear retailer JD Sports announced Monday that data belonging to approximately 10 million unique…

16 hours ago

How Ukraine’s Cyber Police fights fraud, scams, and attacks on critical infrastructure

Editor’s note: Ukraine’s Cyber Police had a busy year in 2022. The law enforcement agency…

1 day ago