Professional employer organization Sequoia Benefits and Insurance Services LLC has suffered a data breach, with sensitive and personal data related to its customers potentially stolen.

First reported today by Wired, the company is said to have notified customers and individuals affected by the breach, which took place between Sept. 22 and Oct. 6. Data that may have been stolen included names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits and member IDs. Also potentially stolen were other ID card information, COVID-19 test results and vaccine status.

In a message to customers, Sequoia said that as soon as it became aware of the situation, it put in place a response plan, including hiring Dell SecureWorks to undertake a forensic investigation. The investigation found no evidence that the unauthorized party had misused or distributed the data but stopped short of saying that it had not been accessed and stolen.

Dell SecureWorks is said to have found no evidence of malware, a data extortion attempt, or any evidence of ongoing unauthorized access to company systems. Hinting at how the data may have been exposed, Sequoia noted that the data was “read-only” and that there was no evidence that the unauthorized party had changed any client data.

Sequoia was founded in 2001 and provides human resources, payroll and related services to various companies and startups. Notable clients include BuzzFeed Inc., Minted LLC, Wix.com Ltd., DropBox Inc., Ted Conferences LLC and Zoom Video Communications Inc.

As the saying goes, if it quacks like a duck, it’s a duck and given that the forensic analysis has found no evidence of malware, ransomware or data extortion, this case quacks like an exposed cloud instance. It’s not clear what company Sequoia uses for cloud hosting, but it would surprising if the breach didn’t involve an exposed ElasticSearch or Amazon Web Services Inc. instance. Security experts are also pointing the finger at likely cloud storage exposure.

“Enterprises adopt cloud-native strategies because they want to accelerate their processes and their ability to innovate,” Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, told SiliconANGLE. “Unfortunately, most organizations struggle with the right level of data security to avoid compromise within the cloud environment.”

Shadabi added that while cloud service providers offer data security capabilities, the business is still the responsible caretaker.

Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., said that “this is a massive breach that will have a large impact on all affected customers based on the amount of sensitive data that has been stolen.”

“Unlike credit card information, sensitive personal information cannot be easily changed or amended or in most cases not changed at all,” Malik explained. “The long-term impact should not be underestimated as criminals can use this information to launch spear phishing attacks against victims.”

Image: Sequoia