Okta third-party breach exposes 5,000 employees as security woes continue

Okta logo displayed on a smartphone
(Image credit: Getty Images)

Okta has been impacted by another cyber incident, this time indirectly via a third-party data breach that left the sensitive information of thousands of its employees exposed.

Threat actors gained access to internal files of healthcare services firm Rightway Healthcare, which is used by Okta to source employee healthcare providers, on 23 September.

Rightway notified Okta of the incident in late September but did not provide files until 12 October. This sparked an internal investigation at Okta involving the analysis of 27,000 files.

This revealed a census file accessed by threat actors contained personally identifiable information (PII) belonging to Okta employees.

Okta notified employees via letter on 1 November, after it was made aware of the potential for employee information to have been exposed.

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” read the letter, signed by Ronald Anderson, director cyber security legal counsel at Okta.

Okta said it had seen no evidence that personal information was misused by threat actors in the wake of the data breach. The firm has said it will provide affected employees with 24 months of free fraud detection, identity restoration, and credit card monitoring.


A whitepaper from Datto for MSPs on RMM

(Image credit: Datto)

Support your remote teams and manage customer environments


“An Okta vendor, Rightway Health, had a security incident in September 2023 in which files from April 2019 through 2020 were exfiltrated from its IT environment,” read an reactive statement from Okta shared with ITPro.

“These contained personal information about employees and their dependents from 2019/2020. This incident does not relate to the use of Okta services and Okta services remain secure. No Okta customer data is impacted by this incident.”

A breach notification made to the Maine Attorney General identified the total number of people affected by the breach as 4,961, with two of these being Maine residents.

Okta woes compounded

News of the breach came just over a week after Okta first published details of a cyber attack against its support management system.  

Okta notified customers that an unidentified threat actor had leveraged a stolen authentication token and recommended customers clean their credentials and session tokens before sharing them.

Fears that the breach could allow attackers to escalate attacks on legitimate customer accounts were realized on 2 October, with malicious activity against identity management firm BeyondTrust having arisen from one of its internal Okta accounts. 

Network services giant Cloudflare subsequently published evidence that it had been subject to an attempted breach on 18 October. 

Cloudflare said the attacker used a stolen session token from a legitimate support ticket to compromise two of the firm’s Okta support accounts.

This article was updated to include a reactive statement from Okta and clarification on the incident timeline.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.