A class action lawsuit was recently filed against HR and payroll giant Sequoia Benefits & Insurance and its subsidiary Sequoia One after announcing that its cloud storage system was breached and critically sensitive information on its users stolen.
Sequoia Waited Months Before Notifying Clients They Are At Risk For Identity Theft
On December 7, 2022, Sequoia sent a Notice of Data Breach Letter to its customers, corporate, and individuals, informing them that their personally identifiable information (“PII”) was exposed through an “unauthorized party” that “may have accessed a cloud storage system.”
According to the Breach Letter, hackers first gained access to Sequoia’s systems between September 22, 2022 and October 6, 2022. The PII stolen by the hackers included, but was not limited to, name, Social Security numbers, address, date of birth, gender, marital status, employment status, work email addresses, member ID’s, wage data for benefits, attachments (if any) you may have provided for advocate services, ID Cards, COVID test results or a vaccine card you may have uploaded.
Although Sequoia states it learned of the data breach only “recently,” it still waited months to provide actual notice to victims despite knowing that hackers accessed its cloud storage system and accessed sensitive PII.
In the Breach Letter regarding Sequoia’s forensic review, it informed victims it found “no evidence of data being used or distributed” at that time. This means the forensic review examined the company’s information systems to determine the scope of the intrusion and what data was taken but typically does not determine whether the hackers have misused or distributed the data.
Sequoia Offering Victims 36 Months Of Identity Protection Services
Sequoia has offered data breach victims 36 months of Experian Identity Works credit and identity monitoring, but the deadline for victims to enroll may be a short window. This may be regarded by some as little relief given cyber criminals usually sit on the data until the identity protection credit period expires.
The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible. California offers extra protections and legal rights to its residents through the California Consumer Privacy Act (“CCPA”).
Notice of Data Breach Letter Misleads Breach Victims
Sequoia’s Data Breach notification letter attempts to downplay the harm caused by the Data Breach, stating that Sequoia conducted a forensic review of the breach and “found no evidence that the unauthorized party misused or distributed data” at this time.”
This statement appears to be designed to mislead the victims of this breach. Forensic reviews examine the breached company’s information systems to determine the scope of the intrusion and what data was taken; they do not typically investigate whether the hackers have misused or distributed the data..
Sequoia Markets Itself as an Authority On Cybersecurity
Sequoia has been in business for over 20 years and services over 1,700 corporate clients including Dropbox, Zoom, Buzzfeed, and Minted. Sequoia is also popular with startups, and says it works with over 500 venture-backed companies.
Sequoia promotes itself as being able to help business “establish secure processes for uploading health information, storing medical verification documents and ensuring only the right people have access to this sensitive data.” It also markets itself as an authority on cyber security.
Sequoia Failure To Comply with Industry Standard Security Protocols Lead To Data Breach
Despite its self-proclaimed cybersecurity prowess, the lawsuit alleges that Sequoia failed to comply with Federal Trade Commission standard security practices as well as accepted industry standards designed to protect private information in the healthcare industry.