Popular HR and Payroll Company Sequoia Discloses a Data Breach

The human resources, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company’s Sequoia One customers. 

Sequoia notified both its corporate customers and the individual people whose data may have been impacted by the breach, which the company says occurred between September 22 and October 6. The company is offering victims three years of free Experian identity protection services. Sequoia’s breached cloud system stored an array of sensitive personal data, including names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system.

“An unauthorized party may have accessed a cloud storage system that contained personal information,” the company wrote in the customer and individual disclosures. WIRED reviewed examples of both notifications. “As soon as the Company became aware of the situation, a response plan was initiated and a number of immediate actions were completed, including working with outside counsel to initiate a forensic review by Dell Secureworks … The forensic review found no evidence that the unauthorized party misused or distributed data.”

Sequoia One is a “professional employer organization,” or PEO, that provides outsourced HR and payroll services. The company is popular with startups because it streamlines the process of managing and adjudicating core programs like compensation, benefits, and equity. Sequoia One is popular with US startups and says it currently works with more than 500 venture-backed companies. 

When WIRED asked Sequoia how many people had their data exposed and are being offered free identity protection services, Kristin Schaeffer, vice president of public relations at the communications firm AMF Media Group, declined to comment on behalf of the company. “At this time our focus and communication is only with our clients,” she said.

The disclosures say that Dell Secureworks did not find malware on Sequoia’s systems, did not see evidence of a data extortion attempt, did not find any compromised computers or servers in Sequoia’s infrastructure, and did not see evidence of ongoing unauthorized access to the company’s systems. Sequoia emphasizes that it has not detected any use or distribution of the data so far. 

“Unauthorized access of information in a cloud storage system occurred between September 22 and October 6, 2022,” the company wrote. “The access was ‘read only,’ and there is no evidence that the unauthorized party changed any client data.”

Still, it is common for hackers or even their automated systems to find and scrape unsecured cloud storage systems, and stolen data can take time to surface.

“Sequoia One is very popular with startups; the last two I’ve worked for used them,” says open source security researcher Jonathan Leitschuh, who was notified this week that his data was compromised in the breach. “I honestly was not surprised when I got the notification in the mail, not because of Sequoia specifically, I’ve just been in the security space long enough to know that it’s just a matter of time.”

Leitschuh notes that after three years, the free identity theft monitoring will end, but his Social Security number and many other personal details will remain the same. 

“With third-parties like Sequoia that others contract with, the end user can’t really opt out or change anything about the relationship if they want the job,” he says. “But you don’t know how these companies are defending this data long-term.”

#Popular #Payroll #Company #Sequoia #Discloses #Data #Breach


Related Posts

What Is Carbon Capture? With Gizmodo’s Molly Taft | Techmodo

Read more… #Carbon #Capture #Gizmodos #Molly #Taft #Techmodo

Apple MacBook Pro (16-Inch, 2023) Review: Great Gets Greater

When you need power from your laptop, it’s smart to plug in the charger to eke out as much performance as possible. However, Apple’s first M1-powered MacBook…

Wordle today: Here’s the answer, hints for January 27

You made it! It’s Friday, it’s Wordle time, and that means we’re here to help, as always. The bottom of this article features January 27’s Wordle solution….

Top tech news for Thursday, January 26, 2023

Green light. Besides Elon Musk, other businesses also have quarterly reports. Today that list includes Intel later this afternoon, and Comcast, which said it shed 440,000 TV…

Jumia’s investors rethink their stakes — for better and worse • TechCrunch

Baillie Gifford, the Edinburgh-based asset management firm long known to have a penchant for pre-IPO tech companies, has reduced its shares in African e-commerce giant Jumia, per…

Dungeons & Dragons Has Burned Up All the Goodwill

Image: Wizards of the Coast As fans of tabletop roleplaying games debate over what to do about Wizards of the Coast’s new draft of the Open Gaming…

Leave a Reply

Your email address will not be published. Required fields are marked *