Popular HR and Payroll Company Sequoia Discloses a Data Breach

The human resources, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company’s Sequoia One customers. 

Sequoia notified both its corporate customers and the individual people whose data may have been impacted by the breach, which the company says occurred between September 22 and October 6. The company is offering victims three years of free Experian identity protection services. Sequoia’s breached cloud system stored an array of sensitive personal data, including names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system.

“An unauthorized party may have accessed a cloud storage system that contained personal information,” the company wrote in the customer and individual disclosures. WIRED reviewed examples of both notifications. “As soon as the Company became aware of the situation, a response plan was initiated and a number of immediate actions were completed, including working with outside counsel to initiate a forensic review by Dell Secureworks … The forensic review found no evidence that the unauthorized party misused or distributed data.”

Sequoia One is a “professional employer organization,” or PEO, that provides outsourced HR and payroll services. The company is popular with startups because it streamlines the process of managing and adjudicating core programs like compensation, benefits, and equity. Sequoia One is popular with US startups and says it currently works with more than 500 venture-backed companies. 

When WIRED asked Sequoia how many people had their data exposed and are being offered free identity protection services, Kristin Schaeffer, vice president of public relations at the communications firm AMF Media Group, declined to comment on behalf of the company. “At this time our focus and communication is only with our clients,” she said.

The disclosures say that Dell Secureworks did not find malware on Sequoia’s systems, did not see evidence of a data extortion attempt, did not find any compromised computers or servers in Sequoia’s infrastructure, and did not see evidence of ongoing unauthorized access to the company’s systems. Sequoia emphasizes that it has not detected any use or distribution of the data so far. 

“Unauthorized access of information in a cloud storage system occurred between September 22 and October 6, 2022,” the company wrote. “The access was ‘read only,’ and there is no evidence that the unauthorized party changed any client data.”

Still, it is common for hackers or even their automated systems to find and scrape unsecured cloud storage systems, and stolen data can take time to surface.

“Sequoia One is very popular with startups; the last two I’ve worked for used them,” says open source security researcher Jonathan Leitschuh, who was notified this week that his data was compromised in the breach. “I honestly was not surprised when I got the notification in the mail, not because of Sequoia specifically, I’ve just been in the security space long enough to know that it’s just a matter of time.”

Leitschuh notes that after three years, the free identity theft monitoring will end, but his Social Security number and many other personal details will remain the same. 

“With third-parties like Sequoia that others contract with, the end user can’t really opt out or change anything about the relationship if they want the job,” he says. “But you don’t know how these companies are defending this data long-term.”