Okta employee data breached in third-party healthcare attack

Dive Brief:

  • Nearly 5,000 current and former employees at Okta had their sensitive health information exposed by a cyberattack at Rightway Healthcare, a third-party vendor for the identity and access management provider, according to data breach notices filed Wednesday in California and Maine.
  • The third-party breach did not impact Okta services, which remain secure, and “no Okta customer data is impacted by this incident,” the company said in a statement.
  • Rightway informed Okta of the attack on Oct. 12, and said the threat actor accessed an eligibility census file on Sept. 23 including names, Social Security numbers and health insurance plan numbers of Okta employees. Rightway did not respond to an inquiry from Cybersecurity Dive.

Dive Insight:

This is the latest in a series of security woes to hit Okta or its customer environments since late July. Although this latest incident involves a third-party vendor, it underscores the need for security diligence across all systems.

“Third-party risk is hard for any organization to manage and in this case it was a third-party, not Okta, that was breached,” John Bambenek, principal threat hunter at Netenrich, said via email. “I should hope for their employees’ sake that they are taking this event seriously, and looking at what they can do to shore up the sensitive data that they are having their third-party vendors process on their behalf.”

The Rightway breach comes less than two weeks after Okta reported a threat actor intruded its support system with a stolen administrator account credential, resulting in multiple downstream attacks against Okta customers.

“Even though the breach originated from a third-party vendor, Rightway Healthcare, it still underscores the need for robust security measures and ongoing vigilance,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an email. “The ability to protect employees and customers is interconnected.”

The single sign-on provider is a high-profile target with 18,400 business customers. In 2022, Okta was hit by a phishing attack, a breach and had its GitHub source code stolen.

“We were not provided complete details about this cyberattack from Rightway,” an Okta spokesperson said via email. “All they shared was that a threat actor carried out the attack by gaining access to a Rightway employee’s cell phone, which was then used to change credentials and access the files.”

The attack exposed the personal information of almost 5,000 current and former employees that worked at Okta between April 2019 through the end of 2020. Dependents on Okta employees’ healthcare plans were also impacted, but Okta declined to say how many the incident affected.

Okta had 5,806 employees as of July 31, according to a form 10-Q filed with the Securities and Exchange Commission for the quarter ending July 31. Current and former employees impacted by the third-party attack were directly informed by Okta on Wednesday, and “we are reviewing our relationship with Rightway,” Okta’s spokesperson said.

Okta disclosed the breach almost three weeks after Rightway informed Okta, but noted that timing fell within the 30-day regulation for notification. “There were 27,000 records to sort through and deduplicate, which can be manual and take time,” the Okta spokesperson said.