Tealium Statement on Okta Breach

MikeRodriguez
Tealium Employee

Okta confirmed on March 22, 2022 that in late January 2022 a subprocessor/third party engineer’s account was compromised. However, the company has stated they have no evidence of ongoing malicious activity. Okta’s official statement: 

"In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

Is Tealium at risk? 

Tealium does not use Okta as a customer facing IDP. Tealium only uses Okta as its internal Identity Provider (IdP) for its corporate  infrastructure. Tealium is aware of and continues to monitor the latest updates regarding the January 2022 breach. Tealium has no reason to believe  that the Okta breach has impacted or in any way reduced the security of Tealium’s Services, including the security of customer data. 

What is Tealium’s response? 

At this time, Okta has not contacted Tealium. With that said, Tealium is engaging our vendors that participate in the delivery of our Service to  ensure our Services are secure and verifying the fidelity of our security controls. Tealium is also engaging our vendors to verify their usage of  Okta and how that affects Tealium. Tealium is actively monitoring the situation via threat intelligence feeds and is monitoring our environment for  signs of compromise. Furthermore, as indicators of compromise and defensive recommendations are released we will be updating our posture to  secure our systems and data processing networks to mitigate any new threats. 

What do customers need to do? 

Customers may continue to use Tealium’s services normally. Nothing needs to be done in relation to the use of Tealium’s services. 

Will Tealium keep customers informed? 

If we determine that the Okta breach impacts the  security of  our services, we will invoke our Incident Response processes and notify affected  customers. 

If you have any questions or concerns, please contact your customer management team. 

Compliance, Governance and Audits 

As a reminder, Tealium agrees to comply with its obligations under  applicable laws  and regulations, including those related to data security and privacy. See Tealium’s terms at tealium.com/terms CPP: 2. Data Processing. 

Tealium has an Information Security and Privacy Management System (“ISPMS”) that defines the implementation of our ISPMS program. The  ISPMS program has executive oversight by the ISPMS Governance Council that meets quarterly. 

Tealium certifies annually to the following frameworks:

SOC2 Type 2 

ISO/IEC 27001:2013 

ISO/IEC 27018:2019 - Security in the Cloud enhancements to 27001 

ISO/IEC 27701:2019 - Privacy enhancements to 27001 

Health Insurance Portability and Accountability Act (“HIPAA”) 

Security related Training 

Tealium’s employees must complete annual Information Security Awareness training to ensure everyone at Tealium understands the role and  responsibility in the Security of Tealium and our Services. 

Tealium’s Operations staff undergo extended training on security and HIPAA requirements to ensure their understanding of the additional  controls in place as well as the privacy impacts of handling PHI. 

Tealium’s Developers are trained in secure coding practices and compliance with at least the OWASP Top 10 and SANS Top 25 Most  Dangerous Programming Errors. 

References 

0 Kudos
Public