Breach at HR management company Sequoia raises questions about cloud security

HR management company Sequoia informed customers of a breach of data due to an unsecured cloud system, which was accessible between September 22 and October 6, 2022.

In a December 2 letter sent to affected clients—including Morning Brew employees—Sequoia said that the breach had exposed names, Social Security numbers, ages, IDs, wage data, and other sensitive information. Sequoia had over 800 business clients as of May 2022, according to a press release from employment-services API provider Finch.

The company ran an audit of its systems by third-party vendor Dell Secureworks, which Sequoia said detected no malware or evidence of a ransomware attack.

According to Sequoia’s letter to users, the system was accessed with “read-only” permissions and it has “no evidence” that it was altered by an unauthorized party. The company also stated in the letter that its network was not compromised and that it had found no signs that the data was being “used or distributed.”

Nonetheless, the breach shows the extent to which organizations reliant on third-party vendors like Sequoia for HR, benefits, and payroll services may also be outsourcing security risks.

Joe Slowik, senior manager of threat intelligence and detections engineering at Gigamon, told IT Brew that while many details of the incident remain publicly unknown, the breach likely involved an unsecured “cloud instance” that wasn’t being properly monitored. This is part of a broader security concern around cloud systems that companies and organizations need to take into account, he said.

“As organizations adopt a cloud-oriented posture, that means extending their security boundary into spaces that operate a little differently than the traditional network stack,” Slowik said. “And that means it’s necessary to extend visibility into telemetry around cloud communication as well, so that organizations can answer or ascertain what has happened.”

Organizations that use cloud or hybrid models to store and interact with sensitive data should be “regularly auditing and evaluating the accessibility of that information, and the configuration used to store and to preserve the confidentiality of that information,” Slowik added. “Because absent those controls, and verifying those controls, you can end up in situations such as this, where that data can be accessed by unauthorized entities.”

The HR provider is offering three years of Experian IdentityWorks coverage to those affected. Sequoia communications rep Blake Irwin told IT Brew in an email that “at this time, our focus and communication is only with our clients’ decision makers. We respectfully decline to comment.”

Slowik said consumers should understand it is “essentially impossible” to avoid their data ending up in a similar leak and take proactive steps to limit its potential for abuse.

“Given the sheer amounts of personal information—including sensitive personal information—that’s used and shared for fairly basic services these days, most consumers will have to accept the inevitability that this sort of thing will happen, and to take appropriate steps to monitor their sensitive information and how it might be used and to try to limit the exposure that wherever possible,” Slowik said.—EH, TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or [email protected]. Want to go encrypted? Ask Eoin or Tom for their Signal.