The US venture capital firm Sequoia Capital has published a notice of data breach after a hacker was able to gain access to the inbox of one of its employees as part of an unsuccessful business email compromise (BEC) attack that took place back in January.
Sequoia Capital has been around since 1972 and over the years it has invested in a number of high-profile tech companies including Apple, Nvidia, Google, Oracle, Cisco and more as well as numerous startups such as Airbnb, Dropbox, FireEye, Stripe, Square and WhatsApp.
Back in December of last year, the FBI sent out a Private Industry Notification (PIN) warning US businesses that cybercriminals has begun to abuse auto-forwarding rules in web-based email clients to increase the chances of success of their BEC attacks.
It seems Sequoia Capital should have heeded this warning as this exact technique was used by an attacker to gain access to its data and almost to its network.
Failed BEC attack
In a notice of data breach sent to those affected by the failed BEC attack, Sequoia Capital explained the steps it took once it learned that an unauthorized third party had gained access to one of its employee’s email accounts, saying:
“On or about January 20, 2021, we learned that an unauthorized third party had gained remote access to the business email mailbox of one Sequoia employee, with the apparent aim of conducting a wire diversion scam. Our investigation has found no evidence of compromise beyond this single mailbox. We quickly took steps to secure our network and began to investigate the incident with the support of outside cybersecurity experts.”
Thankfully the attacker was only able to breach one employee’s inbox and they did not gain access to any other resources or assets on Sequoia Capital’s network. However, the company did say that the personal information of fewer than 1,000 Californian residents may have been exposed in the attack.
The security experts hired by Sequoia Capital also found no evidence that this personal data was being sold or traded by cybercriminals on the dark web. To protect those whose information may have been exposed, the company is offering 24 months of free credit monitoring and identity theft protection from Experian.
Via BleepingComputer