Data Breach at Sequoia One Exposes Sensitive Customer Information

What do you do when your most personal information has been compromised? This is likely the question that customers of Sequoia One asked themselves earlier this month as they were informed that the company had been hacked.

Sequoia One specializes in the management of human resources, benefits, and payroll. For the past 21 years, they've worked with both corporate clients and individuals. Sequoia promises to take care of business owners' administrative needs so that they can focus on their mission. However, on December 7, 2022, customers received a notice that suggests their administrative problems may have just begun.

The company disclosed that an unauthorized party may have accessed its cloud storage system between September 22 and October 6, 2022. This breach puts several pieces of sensitive information at risk, including names, social security numbers, dates of birth, marital statuses, email addresses, and vaccine cards.

As soon as the breach had been identified, the company enacted its response plan. And after performing a forensic review with the help of Dell Secureworks, a leading global security firm, it was determined that the software didn't contain any ransomware. Also, it's suspected that the unauthorized user had "read-only" access because no client data was changed or distributed.

Sequoia One is not the only California-based company that is struggling with data security issues. In fact, over the last five years, this state has been at the top of the list of states that have experienced data breaches. Well-known names such as LendingTree, Kaiser, Blue Shield of Southern California, Macmillan, and Humana are counted among the companies.
As a rule, companies that store consumer data are responsible for keeping it safe from unauthorized access. But a data breach doesn't automatically make the company financially liable for the victim's damages. The company can only be held responsible if the breach resulted from negligence. Instances of negligence include failing to implement an up-to-date security system, mistakenly making sensitive information publicly available, sending consumer information to unauthorized parties, opening unsolicited emails containing malware, and responding to phishing attacks.

Sequoia One boasts more than 1700 corporate clients and more than 200 international clients. However, when the company was asked about how many of their clients had been affected by the breach, they remained tight-lipped. "At this time, our focus and communication is only with our clients," said Kristin Schaeffer, public relations representative for the company. But according to California state law, businesses must notify the attorney general if a breach affects more than 500 state residents.

While Sequoia One may see no evidence of malicious behavior, experts say that it can take time for a data breach's full impact to surface. And while it hasn't been made public how many customers have been affected by the breach, the company is offering all of its client's free identity protection services for three years in order to help mitigate the situation. They've also notified clients that are most at risk. The company has not yet made public how the unauthorized party gained access to its system.