Report: Outsourced HR Firm Sequoia One Undergoes Data BreachCompany Stays Mum on Report That Unauthorized Party Saw Sensitive Data
Update Dec. 12, 2022 22:25 UTC: The California Office of Attorney General provided Information Security Media Group with sample copies of the data breach notification letters being sent by Sequoia One. They can be downloaded here. Sequoia One has still not responded to our request for comment.
Outsourced human resources provider Sequoia One is disclosing to customers that an array of sensitive employee data was affected by unauthorized access to its cloud computing storage account, reports Wired.
Data that the unauthorized party access includes "names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system," Wired reported.
San Francisco-based Sequoia One says it serves more than 500 venture-capital backed firms. The firm has yet to address the data breach outside of notification letters that Wired says the company sent to affected individuals and to corporate clients.
State law requires businesses to notify the state attorney general in the event that a breach affects more than 500 California residents. Press representatives of California Attorney General Rob Bonta did not return multiple attempts to contact them. No sample breach notification from Sequoia at the time of publication appears on the attorney general's public website tracking reportable breaches.
According to Wired, Sequoia is telling customers that the breach at the cloud storage system occurred between Sept. 22 and Oct. 6. The unauthorized user obtained "read-only" access, leading Sequoia to conclude that "there is no evidence that the unauthorized party changed any client data." As Wired says, that doesn't necessarily rule out the possibility that the unauthorized party scraped data.
Sequoia likewise did not respond to multiple Information Security Media Group requests for comment. Kristin Schaeffer, vice president of public relations at the communications firm AMF Media Group, told the magazine that she would also not comment publicly on the event or reveal the number of affected individuals. Schaeffer did not respond to ISMG.
The disclosure letters reportedly state that Sequoia hired Dell Secureworks in the aftermath of the breach but that the cybersecurity firm did not turn up malware and did not see evidence of ongoing unauthorized access to company systems. There was no extortion attempt, the disclosures reportedly state.