Data breach reported by Suffolk County computer security vendor

A computer security application that Suffolk County installed last year to protect its systems in the wake of a 2022 cyberattack has itself been the subject of a data breach, leading Suffolk this week to alert its computer administrators to potential new attacks.

In an email obtained by Newsday, Suffolk’s computer team notified administrators across its network that a breach last month of computer security company Okta could result in attempts by hackers to gain access to systems protected by the measures.

Okta makes a security product known as  multi-factor authentication that verifies the identity of users, requiring a unique security code sent to a cellphone or email system outside the primary work address.

A copy of an email sent to IT administrators in Suffolk on Wednesday noted that Okta “just revealed” that a “threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.”

It notes that every administrator that has “ever been created for our Okta tenant is present in this report.”

For Suffolk and other customers, the breach means there is a “possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.” Such attacks lure computer users into exposing sign-in or password information by appearing to come from legitimate sources.

Suffolk alerted its administrators to “ensure that all” have multi-factor authentication enrolled and activated to “protect not only the customer support system, but also to secure access to their Okta admin console.”

“I just wanted to let you know so you can be vigilant if any Okta social engineering attack comes your way,” the unsigned email indicates.

Suffolk did not have a two-factor authentication system in place until last year, after it suffered a devastating ransomware attack on Sept. 8, 2022, that took down vital systems and took months to remediate. Lack of the protection was one reason Suffolk was not eligible for cyber insurance before the attack, Newsday has reported.

Suffolk Legis. Anthony A. Piccirillo (R-Holtsville), chairman of a legislative committee investigating the ransomware event, said Thursday that he had not been alerted of the Okta breach by Suffolk or the company. He said he intends to recommend the government operations committee he oversees look into this latest breach. 

"We need to assess how damaging this was first, and then make a decision, quite quickly, in terms of whether we're going to change platforms," said Piccirillo.

Suffolk County Comptroller John Kennedy said he also had not been contacted by IT staff or Okta about the breach, something that he said could violate a Suffolk resolution that requires vendors to "notify my office immediately upon awareness of a breach." 

Kennedy said lack of notification was "sufficient to cause immediate termination of the contract," which he said he'd act to comply with. 

Kennedy said it was his understanding that Suffolk County has paid $800,000 for the Okta software. Further, he said understood that Suffolk also had access to free multi-factor authentification software through its purchase of Microsoft 365 last year, which includes an authenticator.

Suffolk County spokeswoman Marykate Guilfoyle, in a statement, said Okta notified the county earlier this week of a "security incident they experienced. While we have no evidence of increased security threats on Suffolk County we are following appropriate mitigation strategies."  

Guilfoyle noted that "as we continue to strengthen our cyber security policies and procedures, we have put forth legislation to mandate vendors notify the county within 48 hours of a breach or attack.”

She said Okta is deployed "across multiple platforms, not just Microsoft 365."

Okta is a client of lobbyist and consultant Michael Balboni, whose RedLand Strategies has worked for Suffolk County on cybersecurity before and after the Sept. 8 ransomware attack. Balboni, a former state senator and homeland security official, and Suffolk County Executive Steve Bellone have said Balboni did not recommend the products of his clients to the county, and the county has not signed vendor contracts as a result of his recommendations, Newsday has reported.

Balboni on Thursday said there was "no involvement from RedLand" on the Suffolk-Okta contract.

On Wednesday, Okta’s chief security officer, David Bradbury, told customers the breach did not include user credentials or sensitive personal data.

But, he wrote, “Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these [administrator] users.”

Bradbury said that while 94% of Okta customers already require multi-factor authentication for their administrators, "we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security.”

An Okta spokeswoman provided a link to Bradbury’s blog post in response to Newsday’s questions about the breach. She noted that the breach the company first detected in October was unrelated to Suffolk’s 2022 ransomware attack.

Okta’s stock price has dropped since it first revealed the security breach in October, when its stock was over $85 a share. On Thursday it was trading for just over $60. 

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.