720-891-1663

Outsource HR Vendor Hit by Cyber Attack – Are You Immune?

Sequoia One is an outsourced HR vendor based in San Francisco that serves more than 500 venture-capital backed firms.

According to a letter they sent to clients, an unauthorized party (like, say, perhaps, the Chinese government) accessed its cloud storage account.

Data that the unauthorized party (AKA the hacker) accessed includes “name, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, member IDs as well as any other ID cards, Covid-19 test results and vaccine cards.

While California state law requires reporting breaches affecting more than 500 people, curiously, Rob Bonta, the AG, won’t answer any questions. Is his office trying to protect Sequoia One?

The breach lasted two weeks and they think the hacker only had read-only access so they don’t think – at least at the moment – that the hacker changed any employee data.

Several thoughts here:

  • The company is being very tight lipped about what happened. I am sure their lawyers told them that was a good strategy. Unfortunately, all it does is make the rumor mill go wild. For example, since they are not saying who attacked them, lets assume it was China or North Korea. That will get some clicks.
  • Assuming you are a cloud vendor (or any vendor that holds customer data), are you prepared to respond to an incident like this and not look as bad as Sequoia One does? Keeping silent about an attack that happened 90 days ago makes you look stupid or incompetent. Which would you prefer?
  • It is reported that Sequoia hired Dell Secureworks and they didn’t find any malware. There are a number of possibilities including it being an inside job or a resource was left unprotected. They likely don’t know. That indicates a lack of logging, monitoring, alerting or some combination.
  • The company is ignoring media requests for information, which leaves the media to report whatever they think might be the case, whether it is true or not. The media is unlikely to be “kind”.
  • This is not a great way to build confidence and enroll new customers. I am sure they will try to spin this, but smart companies are going to want a lot of answers after an incident like this and it doesn’t seem like they have that.
  • Finally, and probably most importantly, you likely use a number of firms like Sequoia. What is your level of confidence that they won’t get hit by an attack, will survive that attack, that your data will remain secure and YOU won’t get sued (because you will)?
  • How would your Incident Response program deal with a situation like this.

This is the second cyberattack this week (the other is Rackspace) where the company is being less than forthcoming about what is happening. It indicates a lack of preparedness on the part of companies.

If you need help, please contact us. Credit: Data Breach Today

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *