Nearly 5,000 Okta employees affected by third-party data breach

Updated at 12:50pm EST with a statement from Okta.

Almost 5,000 current and former Okta employees and dependents were affected by a data breach following a cyberattack on a third-party provider used by the company for healthcare services.

According to documents submitted to regulators in Maine, the single sign-on provider said Rightway Healthcare — which Okta uses to help employees find healthcare providers and rates — informed them of a data breach that occurred on September 23.

“On October 12, 2023, Rightway informed Okta that an unauthorized actor gained access to an eligibility census file maintained by Rightway in its provision of services to Okta. Upon discovering the incident, we promptly launched an investigation and reviewed the affected file to determine the extent of the impact to our current and former employees, and their dependents,” Okta told its employees.

The company said names, Social Security numbers, health or medical insurance plan numbers were leaked during the attack. In total, 4,961 employees were affected.

Those affected are being offered two years of free credit monitoring, identity restoration and fraud detection services through Experian.

In a statement to Recorded Future News, Okta said Rightway "had a security incident in September 2023 in which files from April 2019 through 2020 were exfiltrated from its IT environment. These contained personal information about employees and their dependents from 2019/2020. This incident does not relate to the use of Okta services and Okta services remain secure. No Okta customer data is impacted by this incident."

The breach comes days after the company was embroiled in controversy over a security incident that affected several of their customers.

Password manager 1Password, cybersecurity firm BeyondTrust and cybersecurity and networking giant Cloudflare all said they were targeted by hackers following the Okta breach.

Cloudflare slammed Okta for allowing the hacker to stay in their systems from October 2 to October 18 despite being notified of the issue by BeyondTrust.

Okta also faced backlash last year for its handling of another data breach involving several customers, and the company’s CSO publicly apologized for the incident.