Human behavior, payroll, and benefits management company Sequoia said in a disclosure to clients earlier this month that it had gained unauthorized access to a cloud storage that contained confidential and personal information about the company’s Sequoia One customers.
Sequoia has notified all its customers and people whose data may be affected by the breach, which the company says took place between September 22 and October 6. The company is offering victims three years of free Experian privacy protection. Sequoia’s encrypted cloud stores personal information, including names, addresses, dates of birth, gender, marital status, employment, social security numbers, work email addresses, benefits-related payments, and member IDs and everything else. some ID cards, Covid-19 test results, and vaccination cards that people have submitted to work.
“An unauthorized party may have access to a cloud storage system that contains personal information,” the company wrote in a customer and private disclosure. WIRED reviewed samples of both reports. “As soon as the company became aware of this issue, a response process was initiated and several actions were completed, including working with outside counsel to initiate a review by Dell Secureworks … of data misuse or distribution.”
Sequoia One is a “professional employer organization,” or PEO, that provides outsourced HR and payroll services. The company is popular with startups because it supports the process of managing and managing startup programs such as compensation, benefits, and equity. Sequoia One is popular with startups in the US and is said to currently work with over 500 sponsored companies.
When WIRED asked Sequoia how many people were exposed and offered free data protection services, Kristin Schaeffer, vice president of public relations at communications firm AMF Media Group, declined to comment on behalf of the company. “Right now our focus and connection is with our customers only,” he said.
The disclosure states that Dell Secureworks found no malware on Sequoia’s systems, saw no evidence of attempted data extortion, found no compromised computers or servers in Sequoia’s infrastructure, and saw no evidence of unauthorized access to the company’s systems. Sequoia emphasizes that it has not identified the use or distribution of data so far.
“Unauthorized access to information on cloud storage systems occurred between September 22 and October 6, 2022,” the company wrote. “The access was ‘read only,’ and there is no evidence that an unauthorized party modified the client’s access.”
However, it is common for hackers or even their own systems to find and delete unsecured cloud storage systems, and stolen data can take time to be discovered.
“Sequoia One is very popular with developers; the last two I used used it,” said open source security researcher Jonathan Leitschuh, who was notified this week that his data was compromised in the breach. “Honestly I wasn’t surprised when I got the notification in the mail, not because of Sequoia in particular, I’ve just been in a safe place long enough to know it’s only a matter of time.”
Leitschuh said that after three years, the free privacy check will end, but his Social Security number and other personal information will remain the same.
“With third parties like Sequoia that some of them partner with, the end user can’t cancel or change anything about the relationship if they want to use it,” he says. “But you don’t know how these companies protect this for so long.”