Okta is again on the report with one other cybersecurity incident, this time by way of a breach of its third-party vendor, Rightway Healthcare, which has uncovered the private and healthcare knowledge of almost 5,000 Okta staff.
In keeping with Okta’s submitting with the Maine Legal professional Common, the Rightway breach occurred on Sept. 23 and was found on Oct. 12.
Okta, in an announcement, emphasised that solely its staff, not its clients, had been impacted by the incident.
“An Okta vendor, Rightway Well being, had a safety incident in September 2023 through which recordsdata from April 2019 by 2020 had been exfiltrated from its IT surroundings,” an Okta spokesperson defined. “These contained private details about staff and their dependents from 2019/2020.”
The assertion added Okta companies stay safe.
“On October 12, 2023, Rightway knowledgeable Okta that an unauthorized actor gained entry to an eligibility census file maintained by Rightway in its provision of companies to Okta,” a letter despatched to compromised staff defined. “Upon discovering the incident, we promptly launched an investigation and reviewed the affected file to find out the extent of the impression to our present and former staff, and their dependents. The investigation revealed that your private data was contained within the impacted file.”
Compromised knowledge included names, Social Safety numbers, and well being or medical insurance policy, a letter despatched to potential victims by Okta learn. The corporate added a suggestion at no cost id and credit score monitoring companies.
Ongoing Okta Safety Woes
Definitely, compared to current compromises tied to Okta, this particular knowledge leak by Rightway is not a standout occasion; but it surely could not come at a worse time for the cybersecurity firm.
From risk actors gaming the corporate’s software program platform to breach MGM Resorts to catastrophic impact in September, to October’s incident when attackers compromised Okta’s personal programs to steal buyer knowledge, together with session tokens and cookies (adopted days later by a provide chain assault on its buyer 1Password), it has been a tough few weeks for the id and entry administration (IAM) vendor.
“If it weren’t for seeing Okta’s identify within the press recently for some lower than inspiring safety occasions, I in all probability would not even take any discover of this occasion,” Netenrich’s John Bambenek tells Darkish Studying. “That being stated, I ought to hope for his or her staff sake that they’re taking this occasion severely, and taking a look at what they’ll do to shore up the delicate knowledge that they’re having their third-party distributors course of on their behalf.”
Nonetheless, disclosure of one other cybersecurity incident wherever in its software program provide chain might increase questions on Okta’s general safety posture, significantly amongst its cybersecurity-conscious clientele.
“The belief of cybersecurity professionals may be fragile relating to knowledge breaches,” Important Begin risk intelligence analysis analyst Sarah Jones says. “Whereas cybersecurity incidents can occur to any group, the extent of belief loss is dependent upon how properly the corporate handles the state of affairs.”
Jones provides that Okta’s response has been proactive and constructive on this case. “Okta has taken steps to inform, and assist affected people, providing credit score monitoring companies as a precaution,” Jones provides. “Nonetheless, long-term belief is contingent on the corporate’s dedication to enhancing its safety measures and stopping future breaches.”
Requested about how Okta would reassure its clients it’s taking proactive steps to shore up its general cybersecurity posture, the corporate spokesperson stated they’re sticking to the assertion, for now.
