Okta confirmed on March 22, 2022 that in late January 2022 a subprocessor/third party engineer’s account was compromised. However, the company has stated they have no evidence of ongoing malicious activity. Okta’s official statement:
"In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."
Is Tealium at risk?
Tealium does not use Okta as a customer facing IDP. Tealium only uses Okta as its internal Identity Provider (IdP) for its corporate infrastructure. Tealium is aware of and continues to monitor the latest updates regarding the January 2022 breach. Tealium has no reason to believe that the Okta breach has impacted or in any way reduced the security of Tealium’s Services, including the security of customer data.
What is Tealium’s response?
At this time, Okta has not contacted Tealium. With that said, Tealium is engaging our vendors that participate in the delivery of our Service to ensure our Services are secure and verifying the fidelity of our security controls. Tealium is also engaging our vendors to verify their usage of Okta and how that affects Tealium. Tealium is actively monitoring the situation via threat intelligence feeds and is monitoring our environment for signs of compromise. Furthermore, as indicators of compromise and defensive recommendations are released we will be updating our posture to secure our systems and data processing networks to mitigate any new threats.
What do customers need to do?
Customers may continue to use Tealium’s services normally. Nothing needs to be done in relation to the use of Tealium’s services.
Will Tealium keep customers informed?
If we determine that the Okta breach impacts the security of our services, we will invoke our Incident Response processes and notify affected customers.
If you have any questions or concerns, please contact your customer management team.
Compliance, Governance and Audits
As a reminder, Tealium agrees to comply with its obligations under applicable laws and regulations, including those related to data security and privacy. See Tealium’s terms at tealium.com/terms CPP: 2. Data Processing.
Tealium has an Information Security and Privacy Management System (“ISPMS”) that defines the implementation of our ISPMS program. The ISPMS program has executive oversight by the ISPMS Governance Council that meets quarterly.
Tealium certifies annually to the following frameworks:
SOC2 Type 2
ISO/IEC 27018:2019 - Security in the Cloud enhancements to 27001
ISO/IEC 27701:2019 - Privacy enhancements to 27001
Health Insurance Portability and Accountability Act (“HIPAA”)
Security related Training
Tealium’s employees must complete annual Information Security Awareness training to ensure everyone at Tealium understands the role and responsibility in the Security of Tealium and our Services.
Tealium’s Operations staff undergo extended training on security and HIPAA requirements to ensure their understanding of the additional controls in place as well as the privacy impacts of handling PHI.
Tealium’s Developers are trained in secure coding practices and compliance with at least the OWASP Top 10 and SANS Top 25 Most Dangerous Programming Errors.