The Lapsus$ hacking group published screenshots of Okta’s systems on March 22, taken from the laptop of a Sitel customer support engineer, which the hackers had remote access to on January 20. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays On January 20, Okta said, it saw an attempt to directly access the Okta network using a Sitel employee’s Okta account, which was detected and blocked by Okta, which then notified Sitel. Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems, it said. Okta is an important enterprise access management software vendor. It said that only 366 customers, about 2.5% of its customers, were affected. However, there have been questions as to why customers did not know about the incident sooner. The company has provided a detailed timeline of events from January 20 – when it received an alert that a new factor was added to a Sitel employee’s Okta account – to March 22, which is the date Lapsus$ published the screenshots it grabbed. Sitel hired an unnamed forensic company to investigate the breach on January 21, which concluded its work on February 28. The forensic report to Sitel is dated March 10 and Okta received a summary of that report on March 17, according to Okta’s timeline. After the screenshots were published, Okta’s chief security officer David Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report.”