Benefits and payroll management company Sequoia says hackers accessed sensitive customer information, including their Social Security numbers (SSNs) and COVID-19 test results.
According to Wired, which first broke the news, the incident impacted customers of Sequoia One — which is a professional employer organization (or PEO) that provides outsourced human resources and payroll services. That service is said to be popular with U.S.-based startups, and says it works with more than 500 venture-backed companies.
In a data breach notice filed with the California attorney general’s office, Sequoia said it became aware that an “unauthorized party may have accessed a cloud storage system that contained personal information” over two weeks between September 22 and October 6.
This breached cloud system stored an array of sensitive personal data, such as names, home addresses, dates of birth, gender, marital status, and employment status. Also included were Social Security numbers, the salary wage related to benefits, government identity cards, and COVID-19 test results and vaccine cards.
The review found no evidence of malware, a data extortion attempt, or any evidence of ongoing unauthorized access to company systems. Also, because the hacker’s access was “read-only,” no client data had been changed.
Sequoia went on to conduct a forensic investigation with the help of Dell Secureworks, which found “no evidence that the unauthorized party misused or distributed data.” It is, however, unclear if Sequoia has the technical means, such as logs, to determine what information was accessed or what data was siphoned, if any.
As we’re writing this, it is still unknown how the customer data became exposed nor how many individuals had their data compromised.
This is yet another hacking case where you, as an individual, can do little about it. It is up to the more prominent players to adequately protect their data, which sometimes could also include your data. On your end, you should protect your whereabouts with a good VPN and an antivirus and observe what and where you click on. And always use your brain to determine whether something is safe or not.