HR platform Sequoia claims hackers accessed customer SSNs and COVID-19 data
Benefits and payroll management company Sequoia says hackers accessed sensitive customer information, including their Social Security numbers and COVID-19 test results.
According to Wired, which first reported the Sequoia breach last week, the incident affected customers of Sequoia One, a professional employers' organization (or PEO) that provides outsourced human resources services and pay. The service is popular with US-based startups and says it works with over 500 venture backed companies.
Now, in a data breach notice filed with the California Attorney General's office, Sequoia said it learned that an "unauthorized party may have accessed a cloud storage system containing personal information" on a two-week period between September 22 and October 6. This hacked cloud system stored a range of sensitive personal data, including names, home addresses, dates of birth, gender, marital status and employment status. It also included social security numbers, their benefits-related salary, government ID cards, COVID-19 test results, and vaccination cards.
Sequoia added that the review also found no evidence of malware, attempted data extortion, or evidence of continued unauthorized access to company systems. Since the hacker's access was "read-only", the company said no customer data was modified.
Sequoia said it hired Dell Secureworks to conduct a forensic investigation, which found "no evidence that the unauthorized party misused or distributed any data." It is unclear whether Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned off, if any.
When asked by TechCrunch, Sequoia declined to say how customer data was exposed and would not say how many people had their personal data compromised.
Learn more about security:
Benefits and payroll management company Sequoia says hackers accessed sensitive customer information, including their Social Security numbers and COVID-19 test results.
According to Wired, which first reported the Sequoia breach last week, the incident affected customers of Sequoia One, a professional employers' organization (or PEO) that provides outsourced human resources services and pay. The service is popular with US-based startups and says it works with over 500 venture backed companies.
Now, in a data breach notice filed with the California Attorney General's office, Sequoia said it learned that an "unauthorized party may have accessed a cloud storage system containing personal information" on a two-week period between September 22 and October 6. This hacked cloud system stored a range of sensitive personal data, including names, home addresses, dates of birth, gender, marital status and employment status. It also included social security numbers, their benefits-related salary, government ID cards, COVID-19 test results, and vaccination cards.
Sequoia added that the review also found no evidence of malware, attempted data extortion, or evidence of continued unauthorized access to company systems. Since the hacker's access was "read-only", the company said no customer data was modified.
Sequoia said it hired Dell Secureworks to conduct a forensic investigation, which found "no evidence that the unauthorized party misused or distributed any data." It is unclear whether Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned off, if any.
When asked by TechCrunch, Sequoia declined to say how customer data was exposed and would not say how many people had their personal data compromised.
Learn more about security:
What's Your Reaction?
