The Identity Provider as a Critical Vendor
In the modern enterprise, few vendors are as deeply integrated as identity providers. Okta, which serves over 15,000 organizations and processes billions of authentication requests, sits at the center of corporate access control. When Okta itself became the target of a breach in January 2022, it exposed a fundamental truth about third-party risk management: compromising an identity vendor can provide a pathway to hundreds of downstream organizations simultaneously.
How the Breach Happened
The intrusion did not begin at Okta's own systems. Instead, attackers from the Lapsus$ group compromised a workstation belonging to a support engineer at Sitel (now Concentrix), a third-party customer support contractor that Okta used for Tier 1 support operations. The breach of the Sitel engineer's machine occurred in January 2022, giving the attackers access to Okta's customer support tools, including the ability to view customer tenants and reset passwords.
The incident became public on March 22, 2022, when the Lapsus$ group posted screenshots on Telegram showing Okta's internal administrative tools, including the SuperUser application used for basic customer support functions. The screenshots were timestamped January 21, 2022, confirming the timeline of the intrusion.
Okta's Response and the Transparency Failure
Okta's handling of the disclosure drew widespread criticism from security professionals and customers. The company's initial public statement characterized the breach as an "attempt" that was "unsuccessful," and stated that "the Okta service has not been breached." However, this framing proved misleading. Okta later acknowledged that 2.5% of its customers — approximately 366 organizations — had potentially been affected, meaning their data could have been viewed or acted upon through the compromised support tools.
"We made a mistake. We should have been more forthcoming with information." — Todd McKinnon, Okta CEO, in a subsequent statement to customers.
The two-month delay between the January breach and the March public disclosure — with the disclosure ultimately forced by the attackers rather than Okta — raised serious questions about vendor incident notification practices.
The Lapsus$ Group
Lapsus$ (also stylized as LAPSUS$) was a threat group that gained notoriety in early 2022 for a rapid series of high-profile breaches, including Microsoft, Samsung, Nvidia, and Uber. The group was characterized by social engineering tactics, SIM swapping, and targeting of third-party contractors and help desks rather than exploiting technical vulnerabilities. In March 2022, UK police arrested several individuals connected to the group, including teenagers.
The Third-Party Risk Dimensions
The Okta-Lapsus$ incident illustrates multiple layers of vendor risk that TPRM programs must address:
| Risk Layer | Description |
|---|---|
| Nth-Party Risk | Okta's customers did not have a direct relationship with Sitel, yet Sitel's compromise affected them. This is classic fourth-party (or nth-party) risk. |
| Identity Provider Concentration | Thousands of organizations depend on a single identity vendor, creating systemic risk across entire industries. |
| Privileged Access in Support | Support contractors often receive broad access to customer environments, creating high-value targets for attackers. |
| Incident Disclosure Timeliness | Vendor contracts must specify notification timelines; Okta's two-month delay left customers unable to respond. |
Practical TPRM Takeaways
- Assess sub-processor risk. Your vendor's vendors matter. TPRM questionnaires should ask identity providers about their use of third-party support contractors and the access those contractors have to customer data.
- Contractual notification requirements. Include specific breach notification clauses with defined timelines in all vendor agreements, particularly for critical infrastructure vendors like identity providers.
- Monitor vendor incident response reputation. How a vendor handles a breach — transparency, speed, accountability — is itself a risk indicator. Okta's initially dismissive response eroded customer trust and should inform future vendor risk scoring.
- Evaluate vendor concentration risk. If your identity provider is compromised, what is your fallback? TPRM programs should model this scenario and ensure organizations have response playbooks for identity provider incidents.
- Require least-privilege for support access. Demand evidence that your vendors enforce least-privilege access for support functions, including time-limited sessions and audit logging.
Applying FAIR Quantification
The Okta incident is well-suited to FAIR risk quantification. The loss event frequency can be modeled by examining how often identity providers experience breaches (increasing), while loss magnitude must account for the cascading impact across all downstream organizations. For any company using Okta, the probable loss magnitude from an identity provider breach includes incident response costs, credential rotation, potential unauthorized access, and regulatory exposure — costs that dwarf the annual subscription fee.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Updated Okta Statement on LAPSUS$ - Okta Official Blog
- The Lapsus$ Hacking Group Is Off to a Chaotic Start - Wired
- Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (includes Lapsus$ context) - CISA
- Okta's Investigation of the January 2022 Compromise - Okta Security
- British Police Arrest 7 in Connection with Lapsus$ Hacking Gang - Reuters