The customer services industry, a significant number of whose employees are working remotely, is suddenly finding itself under a cloud of suspicion, after a gang of cybercriminals known as Lapsus$, successfully broke into companies’ networks intending to steal sensitive data and extort them.
The gang, which apparently comprises several teenagers among its ranks, posted pieces of their booty on social media channels to pressure companies into paying a ransom.
US BPO provider Sitel, alongside recently-acquired Sitel Group member Sykes, are apparently still struggling to estimate how many of their clients may have been affected by a “security incident” in January this year. Collectively, the two companies have Nearshore operations in Mexico, Costa Rica, Colombia, El Salvador and Brazil.
According to reports, Lapsus$ hijacked a laptop belong to a Costa Rican engineer working for Sykes, and gained access to the network of one of its clients – Okta, a San Francisco-based authentication services provider.
The gang claimed to have stolen a large amount of data including domain administrator account passwords, and posted screenshots of a few pages on its Telegram account.
The real extent of damage the intrusion caused is still unclear: Sitel’s public response stated that it is unable to comment on the incident owing to the ongoing legal investigation, but that it within less than 24 hours of being informed about the incident, the company had “issued client-facing communications to notify customers who were possibly impacted by this incident”. Nearshore Americas reached out to Sitel for further comment but the company did not respond.
Okta, meanwhile, has estimated that a maximum of 366 clients may have been affected.
Unlike other cyberattacks, what is frightening in this particular hack is that the criminals stayed on Sitel’s network for as many as five days. “There was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” Okta stated in its report on the incident.
In a series of blogposts, Okta’s Chief Security Officer David Bradbury said the criminals would not have been able to download customer databases or access Okta’s source code.
However, the breach has left Okta’s clients scrambling to fortify their assets. Cloudflare Inc, for example, has asked its staff to reset their credentials.
“Customer service companies are increasingly aware of the need for tight controls around the data they handle,” Jesus Hoyos, a customer service expert and principal consultant at CX2Advisory told Nearshore Americas. “But governance process around cybersecurity can still be improved. There is a certain fear within the industry and companies are scrambling to carry out audits to assess they own processes. But vendors don’t always already have them in place. The need for omnichannel communications through channels like WhatsApp is increasing, yet these present new opportunities for hackers.”
Even though Sitel was breached through an engineer’s laptop and had nothing to do with its call center agents, Hoyos believed that the hack could damage the perception of remote work at a time when call center agents are making clear that they do not want to return to the office.
Globant and Lapsus$
In late March, news emerged that the same criminal group had hacked into the database of Argentinean IT company Globant as well.
Lapsus$ claimed that it had downloaded 70 gigabytes of source code from the software services provider. Globant confirmed the intrusion and launched an investigation.
“According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” stated the software services provider in a press release.
“To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”
The Vicious Gang of Cybercriminals
Lapsus$ attacks have also left remote workers under the cloud of suspicion. After carrying out an extensive study on the group, Microsoft alleged that unlike other cybercriminals, Lapsus$ uses even “bribery” to gain access to databases.
“(They are) paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval,” the computing giant stated in a blogpost last week.
Microsoft, as well as Roblox, an online game platform, are also among the victims of Lapsus$ cyberattacks. In both cases, the criminals accessed the companies’ internal systems after breaking into the accounts of their customer support agents.
In May 2020, an attacker told Motherboard that they had bribed a customer service agent working for Roblox to get access to the company’s network.
Some analysts argue the customer support teams generally will not have full access to their client’s database. Using their accounts, hackers cannot create, delete or download any data. Some support staff facilitates the resetting of passwords and [multi-factor authentication], but the agents cannot obtain those passwords.