Benefits and payroll management company Sequoia says the hackers accessed sensitive customer information, including their Social Security numbers and COVID-19 test results.
According to Wired, which first broke news of the Sequoia breach last week, the incident impacted customers of Sequoia One, a professional employers’ organization (or PEO) that provides outsourced services. human resources and payroll. The service is popular with US-based startups and claims it works with more than 500 venture-backed companies.
Now, in a data breach notice filed with the California Attorney General’s office, Sequoia said it became aware that an “unauthorized party may have accessed a cloud storage system containing personal information” over a period of time. two weeks between September 22 and October 6. This hacked cloud system stored an array of sensitive personal data, including names, home addresses, dates of birth, gender, marital status and employment status. It also included social security numbers, their benefits-related salary, government ID cards, COVID-19 test results, and vaccination cards.
Sequoia added that the review also found no evidence of malware, attempted data extortion, or evidence of ongoing unauthorized access to company systems. Since the hacker’s access was “read-only”, the company said no customer data was altered.
Sequoia said it hired Dell Secureworks to conduct a forensic investigation, which found “no evidence that the unauthorized party misused or distributed any data.” It is unclear whether Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned off, if any.
When asked by TechCrunch, Sequoia declined to say how customer data was exposed and did not say how many people had had their personal data compromised.
Learn more about security: