Okta hit by another breach, this one stealing employee data from 3rd-party vendor

Identity and authentication management provider Okta has been hit by another breach, this one against a third-party vendor that allowed hackers to steal personal information for 5,000 Okta employees.

The compromise was carried out in late September against Rightway Healthcare, a service Okta uses to support employees and their dependents in finding health care providers and plan rates. An unidentified threat actor gained access to Rightway’s network and made off with an eligibility census file the vendor maintained on behalf of Okta. Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” a letter sent to affected Okta employees stated. “We have no evidence to suggest that your personal information has been misused against you.”

The letter, which is the first time the event has been disclosed, said that Okta opened an investigation immediately after learning of it. The investigation revealed that data for 4,961 Okta employees was included in the stolen file.

In an email, an Okta representative said that based on information Rightway provided, the intruder first gained access to a Rightway employee’s cell phone and then used that access to change credentials and take the files. The files, which were from April 2019 through 2020, were exfiltrated from Rightway’s IT environment. The personal information pertained to Okta employees and their dependents from 2019 and 2020. Okta also said that Rightway informed it that the compromise involved multiple Rightway customers.

“This incident does not relate to the use of Okta services and Okta services remain secure,” the representative said. “No Okta customer data is impacted by this incident.”

Rightway representatives didn’t immediately respond to an email seeking comment and additional details about the breach.

Thursday’s disclosure comes two weeks after Okta revealed that hackers compromised its customer support system and obtained credentials that allowed them to take control of customers’ internal Okta administration accounts. The attackers then used those credentials in follow-on hacks that targeted the internal administration accounts of 1Password, BeyondTrust, Cloudflare, and possibly other customers.

Okta is based in San Francisco and provides cloud identity, access management for single sign-on, multifactor authentication, and API services to thousands of organizations worldwide. The company has previously come under criticism for security breaches and its handling of them afterward. Most recently, Cloudflare called out Okta for not driving the intruders out of its network until October 18, 16 days after first learning of the compromise. Cloudflare urged Okta to act quicker in the future when learning of security breaches, providing disclosures sooner and requiring the use of hardware keys to protect internal systems and systems used by third-party support providers.

“For a critical security service provider like Okta, we believe following these best practices is table stakes,” Cloudflare researchers wrote.

The Okta representative said in Thursday’s email that when the company learned of the Rightway compromise on October 12, investigators had 27,000 records to sort through. Much of the process had to be manually done and took time to complete.