Okta has been impacted by another cyber incident, this time indirectly via a third-party data breach that left the sensitive information of thousands of its employees exposed.
Threat actors gained access to internal files of healthcare services firm Rightway Healthcare, which is used by Okta to source employee healthcare providers, on 23 September.
Rightway notified Okta of the incident in late September but did not provide files until 12 October. This sparked an internal investigation at Okta involving the analysis of 27,000 files.
This revealed a census file accessed by threat actors contained personally identifiable information (PII) belonging to Okta employees.
Okta notified employees via letter on 1 November, after it was made aware of the potential for employee information to have been exposed.
“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” read the letter, signed by Ronald Anderson, director cyber security legal counsel at Okta.
Okta said it had seen no evidence that personal information was misused by threat actors in the wake of the data breach. The firm has said it will provide affected employees with 24 months of free fraud detection, identity restoration, and credit card monitoring.
Support your remote teams and manage customer environments
DOWNLOAD NOW
“An Okta vendor, Rightway Health, had a security incident in September 2023 in which files from April 2019 through 2020 were exfiltrated from its IT environment,” read an reactive statement from Okta shared with ITPro.
“These contained personal information about employees and their dependents from 2019/2020. This incident does not relate to the use of Okta services and Okta services remain secure. No Okta customer data is impacted by this incident.”
A breach notification made to the Maine Attorney General identified the total number of people affected by the breach as 4,961, with two of these being Maine residents.
Okta woes compounded
News of the breach came just over a week after Okta first published details of a cyber attack against its support management system.
Okta notified customers that an unidentified threat actor had leveraged a stolen authentication token and recommended customers clean their credentials and session tokens before sharing them.
Fears that the breach could allow attackers to escalate attacks on legitimate customer accounts were realized on 2 October, with malicious activity against identity management firm BeyondTrust having arisen from one of its internal Okta accounts.
Network services giant Cloudflare subsequently published evidence that it had been subject to an attempted breach on 18 October.
Cloudflare said the attacker used a stolen session token from a legitimate support ticket to compromise two of the firm’s Okta support accounts.
This article was updated to include a reactive statement from Okta and clarification on the incident timeline.
