Identity and authentication management provider Okta has suffered another breach, this one against a third-party vendor that allowed hackers to steal the personal information of 5,000 Okta employees.

The settlement was reached in late September against Rightway Healthcare, a service that Okta uses to support employees and their dependents in finding health care providers and plan rates. An unknown threat actor gained access to Rightway’s network and destroyed the entitlement census file maintained by the vendor on Okta’s behalf. Okta learned of the compromise and data breach on October 12 and did not disclose it until Thursday, exactly three weeks later.

“The personal information contained in the affected eligibility census file includes your name, Social Security number, and health or medical insurance plan number,” a letter sent to affected Okta employees said. “We have no evidence to suggest that your personal information has been misused against you.”

The letter, which discloses the incident for the first time, says Okta immediately began an investigation as soon as it became aware of it. The investigation revealed that the stolen file contained data from 4,961 Okta employees.

In an email, an Okta representative said that based on information provided by Rightway, the intruder first gained access to a Rightway employee’s cell phone and then used that access to change credentials and take files. The files, which dated from April 2019 to 2020, were purged from Rightway’s IT environment. Personal information relating to Okta employees and their dependents from 2019 and 2020. Okta also said that Rightway informed it that the settlement involved several Rightway customers.

“This incident is not related to the use of Okta services and Okta services are secure,” the representative said. “No Okta customer data is impacted by this incident.”

Rightway representatives did not immediately respond to an email seeking comment and additional details about the breach.

Thursday’s disclosure comes two weeks after Okta disclosed that hackers compromised its customer support system and obtained credentials that allowed them to take control of customers’ internal Okta administration accounts. The attackers then used those credentials in follow-on hacks that targeted internal administration accounts at 1Password, BeyondTrust, Cloudflare, and possibly other customers.

Okta is based in San Francisco and provides cloud identity, access management for single sign-on, multifactor authentication, and API services to thousands of organizations around the world. The company has come under criticism in the past for security breaches and the way it handled them afterward. Recently, Cloudflare called out Okta for not removing the intruders from its network until October 16, 16 days after first becoming aware of the compromise. Cloudflare urged Okta to act swiftly if it learns of future security breaches, provide early disclosures, and use hardware keys to protect internal systems and systems used by third-party support providers. be required.

“For a security critical service provider like Okta, we believe it is important to follow these best practices,” Cloudflare researchers wrote.

An Okta representative said in a Thursday email that when the company learned of the Rightway compromise on Oct. 12, investigators had 27,000 records to sort through. Most of the process had to be completed manually and took time to complete.

