Benefits and payroll management company Sequoia says hackers accessed sensitive customer information, including their Social Security numbers and COVID-19 test results.
According to Wired, which first broke the news of Sequoia’s breach last week, the incident impacted customers of Sequoia One, a professional employer organization (or PEO) that provides outsourced human resources and payroll services. The service is popular with U.S.-based startups, and says it works with more than 500 venture-backed companies.
Now, in a data breach notice filed with the California attorney general’s office, Sequoia said it became aware that an “unauthorized party may have accessed a cloud storage system that contained personal information” over a two-week period between September 22 and October 6. This breached cloud system stored an array of sensitive personal data, including names, home addresses, dates of birth, gender, marital status, and employment status. It also included Social Security numbers, their salary wage related to benefits, government identity cards, and COVID-19 test results and vaccine cards.
Sequoia added that the review also found no evidence of malware, a data extortion attempt, or any evidence of ongoing unauthorized access to company systems. Because the hacker’s access was “read-only,” the company said no client data had been changed.
Sequoia said it hired Dell Secureworks to conduct a forensic investigation, which found “no evidence that the unauthorized party misused or distributed data.” It’s not clear if Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned, if any.
When asked by TechCrunch, Sequoia declined to say how the customer data became exposed and would not say how many individuals had their personal data compromised.
Read more on security: