Sequoia Benefits, Sequoia One Failed to Protect Private Customer Data from Cyberattack, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit accuses two California-based human resources management companies of failing to protect their customers’ personal information from a cyberattack in the fall of 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Per the 19-page complaint, the cloud system used by Sequoia Benefits and Insurance Services LLC (Sequoia Benefits) and Sequoia One PEO LLC (Sequoia One) was infiltrated by cybercriminals between late September and early October, compromising the sensitive data of the defendants’ customers and their families. The case relays that the personal information accessed in the data breach included “names, addresses, dates of birth, employment status, marital status, Social Security numbers, wage data related to benefits, member identification cards, Covid-19 test results, and vaccination cards.”

The lawsuit alleges that the two companies, whose corporate clients include Dropbox, Zoom, Buzzfeed and Minted, did not adequately maintain their security systems and “failed to take basic precautions” to secure their network against hackers.

The companies “declined to disclose how many individuals’ data was compromised in the Breach,” the complaint reads. “But based on the company’s long list of customers, and the scope of information that [the defendants] carelessly stored in the cloud, the breach likely affected millions of individuals.”

The complaint contends that the defendants’ notification letters “attempt to downplay the harm caused by the Data Breach.”

According to the suit, Sequoia Benefits and Sequoia One advertise themselves as “a safe repository for sensitive information,” and as cybersecurity “authorities.” The companies distribute articles of advice on the subject to their clients, the filing says, and the lawsuit claims that this shows the defendants understood the need for secure protection of personally identifiable information (PII).

Per the case, the companies “should have known of the inherent risks in collecting and storing massive amounts of PII, the importance of providing adequate data security over that PII, and the frequent cyberattacks on businesses that store sensitive PII like that in Sequoia’s possession.”

The defendants have more than 1,700 clients, the lawsuit claims, which means their network stores the private personal information of millions of people. According to the case, those whose data has been compromised have “suffered irreparable harm” and now face “an increased risk of identity theft for the foreseeable future.”

The lawsuit looks to represent anyone in the United States whose personal data was compromised in the cyberattack announced by Sequoia Benefits and/or Sequoia One in December 2022.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.