Popular HR and Payroll Company Sequoia Discloses a Data Breach


The human resources, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company’s Sequoia One customers. 

Sequoia notified both its corporate customers and the individual people whose data may have been impacted by the breach, which the company says occurred between September 22 and October 6. The company is offering victims three years of free Experian identity protection services. Sequoia’s breached cloud system stored an array of sensitive personal data, including names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system.

“An unauthorized party may have accessed a cloud storage system that contained personal information,” the company wrote in the customer and individual disclosures. WIRED reviewed examples of both notifications. “As soon as the Company became aware of the situation, a response plan was initiated and a number of immediate actions were completed, including working with outside counsel to initiate a forensic review by Dell Secureworks … The forensic review found no evidence that the unauthorized party misused or distributed data.”

Sequoia One is a “professional employer organization,” or PEO, that provides outsourced HR and payroll services. The company is popular with startups because it streamlines the process of managing and adjudicating core programs like compensation, benefits, and equity. Sequoia One is popular with US startups and says it currently works with more than 500 venture-backed companies. 

When WIRED asked Sequoia how many people had their data exposed and are being offered free identity protection services, Kristin Schaeffer, vice president of public relations at the communications firm AMF Media Group, declined to comment on behalf of the company. “At this time our focus and communication is only with our clients,” she said.

The disclosures say that Dell Secureworks did not find malware on Sequoia’s systems, did not see evidence of a data extortion attempt, did not find any compromised computers or servers in Sequoia’s infrastructure, and did not see evidence of ongoing unauthorized access to the company’s systems. Sequoia emphasizes that it has not detected any use or distribution of the data so far. 

“Unauthorized access of information in a cloud storage system occurred between September 22 and October 6, 2022,” the company wrote. “The access was ‘read only,’ and there is no evidence that the unauthorized party changed any client data.”

Still, it is common for hackers or even their automated systems to find and scrape unsecured cloud storage systems, and stolen data can take time to surface.

“Sequoia One is very popular with startups; the last two I’ve worked for used them,” says open source security researcher Jonathan Leitschuh, who was notified this week that his data was compromised in the breach. “I honestly was not surprised when I got the notification in the mail, not because of Sequoia specifically, I’ve just been in the security space long enough to know that it’s just a matter of time.”

Leitschuh notes that after three years, the free identity theft monitoring will end, but his Social Security number and many other personal details will remain the same. 

“With third-parties like Sequoia that others contract with, the end user can’t really opt out or change anything about the relationship if they want the job,” he says. “But you don’t know how these companies are defending this data long-term.”

#Popular #Payroll #Company #Sequoia #Discloses #Data #Breach


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *