Okta is warning nearly 5,000 current and former employees that their personal information was exposed after a third-party vendor was breached.
Okta is a San Fransisco-based cloud identity and access management solutions provider whose Single Sign-On (SSO), multi-factor authentication (MFA), and API access management services are used by thousands of organizations worldwide.
The
data breach notification warns of a security incident that impacted Rightway Healthcare, which provides healthcare coverage for Okta employees and their families.
On September 23, 2023, Rightway suffered a network breach, resulting in cybercriminals accessing an eligibility census file maintained for insurance provision and benefit plans for eligible individuals.
The file contained the following information on current and former Okta employees and their dependents:
- Full names
- Social Security Numbers (SSNs)
- Health or Medical Insurance plan number
Okta learned about the breach on October 12, 2023, when Rightway disclosed the attack, and immediately launched an investigation to determine the extent of the compromise.
According to Okta's report to the Office of the Maine Attorney General, the breach impacted a total of 4,961 employees.
Apart from the exposure of health information, the leak of employees' full names could be helpful to cybercriminals in deriving corporate email addresses and engaging in targeted brute-forcing to hijack valuable accounts within the company.
The notice highlights twice that Okta has no evidence the personal information of those people has been misused.
However, the firm encloses instructions on enrolling for two-year credit monitoring, identity theft protection, and fraud protection services through Experian.
Okta shared a statement after this story was published stating that the exposed employee data was from April 2019 through 2020.
"An Okta vendor, Rightway Health, had a security incident in September 2023 in which files from April 2019 through 2020 were exfiltrated from its IT environment," Okta told BleepingComputer.
"These contained personal information about employees and their dependents from 2019/2020. This incident does not relate to the use of Okta services and Okta services remain secure. No Okta customer data is impacted by this incident."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
