Freely subscribe to our NEWSLETTER

This breach came from hacking group Lapsus$, who gained fame with their four-month spree of cyberattacks, leaking data from high-profile technology companies, including Nvidia, Samsung, Ubisoft and even Microsoft.
None of the billions of dollars spent in cybersecurity so far prevents the “low-tech” breaching methods used by Lapsus$: social engineering, password phishing, or simply paying employees for their credentials to reset passwords and MFA.

What is more concerning is the ease and depth of penetration spanning from a single breach; the group claims to have obtained access to 95% of Okta’s 15,000 customers. In its investigation, Mandiant reported that the group accessed a spreadsheet on Sitel’s internal network called “DomAdmins-LastPass.xlsx”, suggesting a list of passwords for domain administrator accounts exported from a LastPass password manager.
Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that this attack exposes the immaturity of companies’ access control and cyber-resilience models.

“By giving employees the right to create and know their passwords at work, companies have unwittingly handed their cybersecurity to their employees and exposed themselves to human errors, potential theft and internal fraud. Criminals don’t need to hack in, they just log in, with nine out of ten breaches using a legitimate password”, says O’Toole.

“The common use of single access (SSO, IAM, PAM) further exacerbates the impact of any breach, by facilitating the jump from company to company in a supply-chain attack, as illustrated by Lapsus$ going from Sitel to Okta to Okta’s customers within hours. Once inside a host network, criminals can scan and exfiltrate the most valuable data, destroy backups and deploy a ransomware payload. This “no-obstacle” access flow model deprives companies of any cyber-resilience.”

O’Toole believes that this culture of transferring access risk management to employees and centralising access at a single point must be recognised as extremely dangerous for security and stopped. “With so many breaches yet undiscovered, you may not even know you’re in danger until it’s too late. Your access may have already been compromised through someone else who didn’t know that they’d been breached either.”

“In the physical world, companies give keys, fobs and cards to employees to access physical premises and take them back when the employees leave the company. In the digital world, against all common sense, that process was reversed, with employees in effect bringing their own “keys” (passwords) to access the company’s digital premises. This self-inflicted loss of access control has denied companies the most basic cybersecurity, confidentiality and data control.”

“For years, companies have defended their breaches as stemming from sophisticated attacks. Thus, they pushed all their cybersecurity budgets to the edge, from threat monitoring to post-crisis management, rather than investing to improve their access security and control from the core. This unsophisticated teenager hacking group has finally shed a light on the ineffectiveness of companies’ cybersecurity programmes.”

“It is therefore of vital importance for individual companies to put access control and segmentation at the heart of their security strategy. Companies who segment access across their entire digital infrastructure, and distribute strong unique encrypted passwords to their employees, remove the potential for unauthorised password sharing, theft or phishing. They also take back access risk management from the hands of their employees, who no longer need to create, remember or type passwords.”

“With system segmentation and unique strong passwords for each digital door, if one system is breached, for example in a supply-chain attack, that breach is contained. Without a single point of failure, the rest of the network stays safe, which limits what criminals can access and puts ransomware at bay.”