Okta: Third-Party Vendor Incident and Breach of Customer Support System
Okta, a San Francisco-based provider of cloud identity and access management solutions, has confirmed that the personal information of 4,961 current and former employees has been exposed in a third-party data breach at its vendor, Rightway Healthcare.
Rightway Healthcare provides support to Okta employees and their dependents and helps them find healthcare providers and rates. According to the breach notice provided to the Maine attorney General, Okta was notified by Rightway on October 12, 2023, that there had been unauthorized access to an eligibility census file, which was used in connection with the services provided to Okta. The file contained employee names, Social Security Numbers, and health or medical insurance plan numbers. Rightway’s investigation revealed the unauthorized activity occurred on September 23, 2023. The stolen files were from April 2019 through 2020. Okta said complementary credit monitoring, identity restoration, and fraud detection services have been offered to the affected individuals.
Customer Support System Breached
Okta has also been investigating a breach of its own customer support system and announced the breach a few days after confirming the breach at Rightway Healthcare. In this incident, an unauthorized individual gained access to the files of 134 of its customers.
Okta’s investigation into this breach revealed it was most likely caused by an employee signing into their personal Google profile using the Chrome web browser on their Okta-managed laptop. The employee had saved the credentials of their Okta service account in their personal Google account.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The employee’s Okta credentials were used to access client session cookies, which allowed the attacker to bypass login screens and multi-factor authentication. 134 Okta customers were affected, but only 5 Okta sessions were accessed. Three of the Okta customers affected have publicly disclosed the breach – 1Password, BeyondTrust, and Cloudflare. Okta said its investigation revealed the unauthorized activity occurred between September 28 to October 17, 2023.
The investigation of the breach was complicated due to the failure to identify file downloads in customer support vendor logs. When a user opens and views support files, a specific log event is generated along with a record ID that is tied to the file; however, if the user navigates away directly to the Files tab in the customer support system, different log events and record IDs are generated.
The threat actor navigated directly to the Files tab, and Okta’s initial investigation focused only on access to support cases using the initial log event and record ID. It was only when BeyondTrust identified a suspicious IP address on October 13, that Okta identified the additional file access events and linked them to the compromised employee account.
