.st0{fill:#FFFFFF;}

Podcast

4 Takeaways from Okta Breach? – Ep 351 

 April 15, 2022

By  Donna Grindle

Share0
Tweet0
Share0

It is crucial for every business to understand the security practices of their vendors. And also to make sure that those vendors are vetting their vendors. A cyber attack at a link in your supply chain can drastically affect your business. Evidence: the Okta breach.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

4 Takeaways from Okta Breach? – Ep 351

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

PriSec Boot Camp

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[04:41] Take Privacy Rules seriously!

This was one of the cases mentioned during the HIPAA Summit in March. For those who just can not control themselves and abuse their access privileges, pay attention to this one. We just recently discussed the three enforcement arms of HIPAA.. In that episode we discussed how the FTC gets involved in these cases. But, we pointed out the DOJ is picking up their participation awards as well.

Former Cedar Rapids Hospital Employee Sentenced for Accessing Ex-Boyfriend’s Medical Records | USAO-NDIA | Department of Justice

A former Cedar Rapids hospital “patient care technician”, Jennifer Lynne Bacor, age 41, from Las Vegas, NV plead guilty to one count of wrongfully obtaining individually identifiable health information under false pretenses.

On multiple occasions between April and October 2017, Bacor used her login credentials to access her ex-boyfriend’s protected private health information even though he was not one of her patients. In September 2017, Bacor took a picture of a medical photograph that showed one of her ex-boyfriend’s injuries and sent the picture to a third person. The third person then sent the picture to the ex-boyfriend and others on Facebook messenger along with taunting language and emojis.

Bacor was sentenced to 5 years probation and fined $1,000.

During her probationary term, Bacor will be restricted from employment in which she would have access to private medical information of others. In sentencing Bacor, Judge Williams observed that Bacor had “weaponized” her ex-boyfriend’s private medical information.

405(d) Tip of the Week

[12:59] 405(d) Post is a bi-monthly newsletter that strives to educate on new and emerging cybersecurity threats and technologies by highlighting the use of the HICP publication, how our Task Group members have used it in practical situations, and shares news of upcoming cybersecurity and U.S. Department of Health and Human Services events.

The March 2022 release is the most recent: The 405(d) Post, Volume XV.

The opening article shares A Word from the Task Group. That “Word” for March was: The Impact of Ransomware on Healthcare, written by Ed Gaudet, who is the Co Lead of the Ambassadors with us. We highly recommend the article for great information to assist you in making your business decisions concerning planning for ransomware attacks.

Ed includes some findings from a Ponemon Institute Study released in Sept (One of the many reports we haven’t had time to review in an episode) along with others. His wrap up at the end of the article is just one tiny excellent point throughout the article:

The Ponemon Institute study is not only a wake-up call for the healthcare industry to transform its cybersecurity and risk management programs, but also a call for community advocacy to take action and deliver more robust protection of our data and the assurance of the availability of life-saving care whenever and wherever we need it.

Another feature of the newsletters includes The 405(d) Chronicles which is first hand stories from Task Group Members. This month’s article by Bijan Anvar covers Cybersecurity Myths he has encountered. Let’s just say he agrees with us about the importance of not assuming that IT people really do know everything especially when it comes to HIPAA and cybersecurity requirements.

After one of my presentations, someone told me that my presentation was useless to them because their office used “Macs” and, “FYI, Macs don’t get malware.” This was a relatively small group, but the gentleman assured me that he confirmed it with the person who handles their IT. I politely mentioned that it is never a bad idea to get a second or third opinion, and he might want to consider speaking with someone else. This was on a Sunday. The following day, he called me to say that he was hit with ransomware and needed help.

There is plenty of other great stuff in each of these newsletters. Sign up for the mailing list to get regular updates when new information comes out. Also, find all of them at 405d.hhs.gov under News & Awareness Resources

4 Takeaways from Okta Breach

[19:33] Okta admitted to a data breach on March 25. Only after the hacker collective, Lapsus$ published screenshots from them after a security incident that occurred in Jan.

In the information dump by the gang they, “claimed it did not steal data from Okta, and that its focus was on targeting Okta customers.”

Okta chief executive Todd McKinnon tweeted “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.”

“Okta’s chief security officer David Bradbury said the compromise was with one of Okta’s third-party providers over a five-day window between January 16-21, 2022.”

Who was the 3rd party service provider?

Sykes Enterprises, Inc. (which was acquired by Sitel in September 2021) is the third-party service provider that provides customer support engineering on behalf of Okta. As of Saturday, March 26, we are no longer working with Sykes/Sitel and terminated their account access. Sitel Group

What is interesting is in the Okta blog post there is a timeline showing all of this stuff:

Timeline (times in UTC)

  • January 20, 2022, [23:18] | Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.
  • January 20, 2022, at [23:46] | Okta Security investigated the alert and escalated it to a security incident.
  • January 21, 2022, at [00:18] | The Okta Service Desk was added to the incident to assist with containing the user’s account.
  • January 21, 2022, at [00:28] | The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
  • January 21, 2022, at [18:00] | Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
  • January 21, 2022 to March 10, 2022 | The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
  • March 17, 2022 | Okta received a summary report about the incident from Sitel.
  • March 22, 2022, at [03:30] | Screenshots shared online by LAPSUS$
  • March 22, 2022, at [05:00] | Okta Security determined that the screenshots were related to the January incident at Sitel.
  • March 22, 2022, at [12:27] | Okta received the complete investigation report from Sitel.

The update also included this admission:

Why didn’t Okta notify customers in January?

We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible.

In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.

In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.

How bad is the breach for Okta clients?

Ultimately, Okta says they have determined that 366 customers may have been impacted. Plus, they say the “blast radius” did not impact “HIPAA and FedRAMP customers.”

We have clients who use this tool. They have experienced a breach caused by a third party entity before. They know first hand how painful it is when you have zero control over something happening outside your business. This is why we all have to improve our vetting process for vendors and insist they all do the same.

[30:55] What really happened? Not completely clear but…

Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show | TechCrunch

Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021.
…the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.

Sorry but WHAT?!? “DomAdmins-LastPass.xlsx.”

Why would you have a spreadsheet of info from LastPass labeled that clearly and not secured in several different ways – like its own encryption maybe?

Good news?

U.K. police said last week they had arrested seven people connected to the incidents, all aged between 16 and 21.

Here’s the thing though

Here you are using Okta because it really does help manage all the security in one spot. Vetting Okta itself and you will not see any reason not to expect reasonable security from them.

I doubt Okta would have brought on Sitel if they didn’t check them out. But here is where the whole thing goes sideways, the acquisition of Sykes Enterprises by Sitel.

They were very excited about it: The $2.2B acquisition places Sitel Group firmly in the top 3 position of global CX leaders with greater scale, larger global footprint and enhanced digital expertise.

Independently Sykes may have also shown strong security posture. But, once the merger started it is clear either that assumption of Sykes is not true or the transition team seriously dropped the ball.

Something so simple can have worldwide implications. Someone in some place in the world decided not to worry about securing the VPN or making sure it was very tightly monitored. Then, likely another person decided to download from LastPass a bunch of login information into a spreadsheet leaving it in free open text.

It is like all the elements were put in place to cause a major explosion. It was just a matter of time before some criminal lit the fuse.

[37:26] What should we learn here?

  1. Vet your vendors. Just because this went so deep does not mean we should stop. Imagine what would happen then!
  2. Ask vendors what kind of vetting they do of their vendors and seriously question those who aren’t making any new efforts in our new threat environment.
  3. If you are a vendor, pay attention to how important tiny little things can be. You can be just one element of the explosive moment, but without you it may not happen at all.
  4. If there is an acquisition taking place anywhere in your company or with your vendors ask lots of questions and send them to read this story. There are definitely others to share but this one should work if anything is going to work.
Go to top

Understanding that any business that you work with, that keeps your business running or that is connected in some way to your business is a part of your supply chain. You not only need to thoroughly vet those businesses, but also make sure they are vetting their vendors because just like with Okta, a breach of data can be caused by someone down the supply chain tail.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: