Outsourced human resources provider Sequoia One is disclosing to customers that an array of sensitive employee data was affected by unauthorized access to its cloud computing storage account, reports Wired.
Data that the unauthorized party access includes “names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system,” Wired reported.
San Francisco-based Sequoia One says it serves more than 500 venture-capital backed firms. The firm has yet to address the data breach outside of notification letters that Wired says the company sent to affected individuals and to corporate clients.
State law requires businesses to notify the state attorney general in the event that a breach affects more than 500 California residents. Press representatives of California Attorney General Rob Bonta did not return multiple attempts to contact them. No sample breach notification from Sequoia at the time of publication appears on the attorney general’s public tracking reportable breaches.
According to Wired, Sequoia is telling customers that the breach at the cloud storage system occurred between Sept. 22 and Oct. 6. The unauthorized user obtained “read-only” access, leading Sequoia to conclude that “there is no evidence that the unauthorized party changed any client data.” As Wired says, that doesn’t necessarily rule out the possibility that the unauthorized party scraped data.