back to article Okta tells 5,000 of its own staff that their data was accessed in third-party breach

Okta has sent out breach notifications to almost 5,000 current and former employees, warning them that miscreants breached one of its third-party vendors and stole a file containing staff names, social security numbers, and health or medical insurance plan numbers. The third-party, Rightway Healthcare, helps people compare …

  1. Anonymous Coward
    Anonymous Coward

    Is there any coming back from this ?

    An outfit that (quite aggressively) punts its services as keeping you secure, manages to fail to keep it's own crown jewels safe ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is there any coming back from this ?

      Well, Microsoft is still in business despite being the one software provider that connects all ransomware attacks, so I'd say yes.

      All you need is a large enough budget for bribes lobbying and lying marketing..

    2. doublelayer Silver badge

      Re: Is there any coming back from this ?

      Do you mean this specific incident, because if you do, you do realize that it was a company other than Okta that had the system from which the file was stolen. I'm sure your employer outsources some part of its business, and it would be great if they could make sure that every supplier had perfect security, but that doesn't make them the cause of any supplier's failure.

      1. Lurko

        Re: Is there any coming back from this ?

        "you do realize that it was a company other than Okta that had the system from which the file was stolen....but that doesn't make them the cause of any supplier's failure"

        Except that it fucking does. The data was entrusted to Okta. The data has been compromised. This is Okta's fault.

        If they cannot be sure that their suppliers, resellers and subcontractors are at least as secure as Okta themselves, then they shouldn't use them and should hold the data in-house. We keep hearing these pathetic excuses from companies that should know better that it was a supplier, vendor, subcontractor that caused a breach, it'd be nice if regulators and courts actually started considering this to be an aggravating rather than mitigating factor. In an ideal world customers would consider this before using Okta, in practice Okta's customers are big corporations and the public sector, and procurement is a process in which some (arguably many) important questions simply are not asked, scores are added up and whoever gets the highest score gets the gig.

        As a starter, any security service vendors should be ranked according to all known breaches and data losses for the SSV themselves. What sort of management do Okta have? If this is how the treat their own employees data, how competent are they on background checks when hiring their own staff? How thorough are they when sub-contracting devs, or offshoring coding? Essentially, this story begs the question how trustworthy are Okta? Lucky that their customers will keep following the process rather than ask that question.

        1. doublelayer Silver badge

          Re: Is there any coming back from this ?

          As I said, being able to guarantee the security of anyone who ever does a service for you would be great. Unfortunately, actually guaranteeing that would require the audit from hell. Sorry, I mean it is impossible, but getting close to it requires that. Do you or your employer provide services to other companies from time to time? Are you confident that every one of your systems is perfect, both from technical flaws and from organizational ones?

          For incidents where you are responsible for losing data, it's perfectly logical for someone to start with the idea that you are to blame for it. For incidents where someone else does, you have a higher burden of proof to indicate that you should have known that the place was being negligent. In your personal life, you have a lot of companies that store your data because they are the only feasible option and the alternatives are no more likely to be able to guarantee security. For example, the landlord from whom I rent housing probably has more information about me than they really need to keep, and I have no way to confirm that they have stored any of it securely, but I also have no way of guaranteeing that if I were to rent from someone else. This is an unfortunate fact, but if we're going to play the blame game, we have to do a proper analysis of who made which mistake and whether a reasonable company would have known that was likely. Jumping to the conclusion that it's my fault if my landlord's database of identification documents is cracked is letting them off the hook by transferring the blame to someone who could not have prevented it, and you may be doing it with the supplier here as well.

        2. Cav Bronze badge

          Re: Is there any coming back from this ?

          Then it's your fault for using whatever app\service that leaks your data. By your ridiculous logic the end user is responsible for any breach of their data for not making sure that the vendor was secure in all circumstances, which is impossible.

          And as I said elsewhere, blaming Okta is stupid. If a user within an organization willingly hands over their credentials as a result of a Phish then no system on earth can prevent the breach. Even with MFA. Attackers just keep harrassing the end user with "Is it really you trying to login" messages and some users just click "Yes" to stop the barrage or because they are stupid.

          We hold regular phishing tests at my place of work. The number of people who enter their credentials into fake login screens, for systems we don't even have, or authorise transactions by clicking "Accept", also for supposed systems we actually don't even have, is insane. People are careless and, if a phish attack works, attackers have user credentials or the user has clicked to download malware.

    3. NeilPost Silver badge

      Re: Is there any coming back from this ?

      Pretty poor article.

      The 3rd party - Rightway Healthcare Is mentioned as an Okta vendor, *not* a customer.

  2. Cav Bronze badge

    It's hardly Okta's fault if a third party is breached. Similarly with the phishing attempts. You can put in place all the security you want but if someone falls for a social engineering attack and IT departments at the target sites compromise accounts for the attacker, that is not the fault of Okta. Even if you have MFA in place, prompt fatigue causes people to click "Yes, it was me" when asked for the 3,000th time if it is them trying to login.

    The only one of these that might be Okta's fault is the actual breach of their system. Even then, stolen credentials and prompting fatigue causing someone to confirm that it was them trying to login, let's attackers walk in to any system.

    All systems can be breached one way or another.

    1. ChoHag Silver badge

      It is Okta's fault which third parties they choose to engage with.

      1. Cav Bronze badge

        Nonsense. If you chose a bank, how do you know it is any more secure than any other? Are you then at fault for choosing the one that gets breached?

    2. Wellyboot Silver badge

      Yes, the Okta breach is far more important* than 3rd party held employee data going walkies. Breaching Okta or any similar outfit without setting off the alarms will potentially allow far easier to access any number of clients through the front door.

      *for everyone else, for the affected staff it's a nightmare.

    3. An_Old_Dog Silver badge

      Human Factors

      Hey, guess what? You can outsource your businesses' functions, but you cannot outsource the responsibility for any breaches of your (sub-)contractors and providers.

      Yes, IT can only do so much. However, trying to blow off the organization's responsibility by saying, "Oh, well, it was a social engineering attack, what can ya do (Gallic shrug)?" is pure bullshit. It is the organization's responsibility to hire people who are not gullible, and to fire those employees who are gullible. If the organization fails that responsibility, then they ought to bear the full financial consequences, including damages of people whose details are leaked. None of this "We're giving you a free year of credit monitoring, have a nice day." booshwah. As to for Okta, they need to be suing their contractors who were breached. "Oh, our contract with Company X specifically excludes such damages." Really? Well, that was a failed gamble on Okta's part, in which case Okta ought to bear the full financial responsibility.

      1. Cav Bronze badge

        Re: Human Factors

        "It is the organization's responsibility to hire people who are not gullible.."

        That's just ridiculous. It's never going to happen. Should every data entry clerk have a thorough psych evaluation?

        You have no idea about human psychology.

        Even Kevin Mitnick was once successfully phished. A 100% phish proof person does not exist.

        1. Lurko

          Re: Human Factors

          "A 100% phish proof person does not exist."

          Irrespective of that, if an organisation is entrusted with data, it's the organisations responsibility to keep it safe. If they can't keep it safe they shouldn't have it.

          I don't care that many people are gullible - that's the world we live in, but that means the organisation needs multiple layers of security, proper security architectures, proper processes and security resources, and a data officer who makes sure that data is only collected where genuinely needed, is archived offline or deleted as soon as no longer operationally needed, and that repressive access controls are in place.

          Even where somebody needs access data to do their job, the overwhelming majority certainly don't need to download the whole lot of it at once as happens in many data breaches. Such needs do arise, they're exceptional and should be handled as such. Do these companies processing personal data not have proper network monitoring, do they think it's normal for a user account to syphon off an entire database whilst apparently working remotely? Do they not have 2FA so that even user credentials provided by the gullible aren't a blank cheque? Do they really need all that data available 24/7, rather than loaded on user request? Do they not limit remote access sessions and have proper controls on them? And if it's the sysadmin accounts that have been compromised, then clearly the company has hired the wrong calibre of staff.

          1. An_Old_Dog Silver badge

            Re: Human Factors

            I once read a book written in the late 1970s about computer systems security. The authors wrote about data-processing operations within a bank, and how certain operations and data-accesses required two people to execute.

            Banks (and other companies) probably don't do that any more, because they don't want to pay the "extra" salaries. Companies wanting to do things cheaply is not a valid excuse for failing to protect the data entrusted to them in confidence.

  3. Pascal Monett Silver badge

    "ID management biz"

    And you couldn't guess that you'd be first in line for hackers everywhere ?

    Well, looks like you're learning the hard way . . .

  4. A Non e-mouse Silver badge
    WTF? "unauthorized" crook..

    What's an "authorized" crook?

    1. anothercynic Silver badge

      One that works at Okta? :-)

    2. Clausewitz4.0 Bronze badge
      Black Helicopters

      What's an "authorized" crook?

      You can find those living at Downing Street

    3. PhoenixKebab
      Black Helicopters

      Missed opportunity

      They should have started by claiming it was a "sophisticated attack from a state-level actor".

      That makes it sound like you have a least some security measures in place.

  5. Anonymous Coward
    Anonymous Coward

    One for the Golgafrincham Ship B

    Arther Dent: “You mean you've got a hole full of frozen hairdressers”

    Captain: “Oh yes millions of them. hairdressers tired TV producers, insurance salesmen, personnel offices, security guard, public relations, executive management consultants, cybersecurity directors and attorneys ..”

  6. Anonymous Coward
    Anonymous Coward

    But why?

    Once an individual has been verified, why is their raw data left hanging around?

    Surely this data can be converted to some internal algorithm and the original data either deleted or stored completely off line.

    Why do companies store this stuff in such a discoverable way?

    1. Lurko

      Re: But why?

      Because for people like HR and corporate administrators, Daterzekurity is a planet in a distant galaxy, and Data Protection is simply a boring mandatory course to be inflicted upon all employees on a regular basis. Which reminds me, I need to do my annual refresh on GDPR. That'll keep everybody safe!

      So many breaches, ransomware or other damaging attacks are down to the absolute basics - data that does need to be routinely accessible all, data that shouldn't be accessible from outside, data which needs a permanent record but is held in a rewriteable format, user accounts that have excessive permissions, connection monitoring that doesn't flag up gigabytes of data being exfiltrated by accounts that would normally only use a few megabytes, etc etc.

      1. Cav Bronze badge

        Re: But why?

        "data that shouldn't be accessible from outside"

        No one deliberately makes such data available on the outside. That's what "breach" means. If attackers get into a network or obtain the credentials of someone with a legitimate need to access the data then they get internal data.

        Some of your other concerns are valid but there will always be cases where someone breaches a high level user account.

        1. Lurko

          Re: But why?

          "Some of your other concerns are valid but there will always be cases where someone breaches a high level user account."

          High level accounts should be a focus of additional training, additional security, additional monitoring, as well as still having access controls. It does seem that for too many companies there's high level accounts that amount to being given the ability to exfiltrate in plain text huge amounts of data that the account holder doesn't need visible to them in the normal course of business.

          You do seem rather fatalistic here, to the extent that it comes across that you don't blame companies for giving data to third parties that get breached, you're fatalistic that users will always get pwned, that even admin accounts will be accessed. Why not just publish it all to the internet and be done with it?

    2. Cav Bronze badge

      Re: But why?

      So, when your customer calls in or applies for another service, you expect whoever answers the call to say "Hold on while I just go and get your paper file\CD\DVD, or whatever other off-line storage device might be employed. It should only take me an hour to find it."?

      You might be prepared to wait for the sake of security but the average customer is not. Convenience for the customers - who demand that convenience. That's why data is held in discoverable ways.

      Customer facing employees need immediate access to data to be able to confirm identify while you are on a call, for example, or in order to change it. Do you want emails\paper communications going to the wrong address?

      Departments like HR need to keep social security numbers (in the US), dates of birth, addresses and bank details (how will they pay you without those?) They will also keep details of qualifications, next of kin, in case of emergency, emergency contact numbers. All have to be readily available otherwise delays occur, which customers will not accept, and costs go up - filing clerks make a return - which again, customers will not accept.

      1. An_Old_Dog Silver badge

        Doing it the (Semi-) Old-Fashioned Way

        My employer does not have my bank details. It does not need to have them. Each two weeks, they print me a check, and a pay stub, and hand it to me during lunch break. I take my check to a branch office of my bank, hand it to a teller, and have them deposit it into my bank account.

        I also carefully look at my receipt. The last time I deposited my check, I was reading my receipt as I was walking toward the exit, stopped, turned around, went back to the teller, and said, "Excuse me, please look at amount shown on my pay stub here and tell me what it is. My eyes aren't what they used to be." He did so. The number he read off was approximately a hundred dollars less than the deposit amount shown on my receipt. With my approval, he reversed the original deposit transaction, and created a new one, with the correct amount (as shown on the check), and gave me a new receipt.

        HIs supervisor said they sometimes have trouble with their scanning machines (which OCR-scan the check).

  7. John H Woods Silver badge

    Dear medium to large sized organizations

    Manage your own identity systems. Yes it's hard. But is a smaller organization that cares less about your data going to be any better at it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like