VC giant Sequoia Capital discloses data breach after failed BEC attack

American VC firm Sequoia Capital has disclosed a data breach following what looks like a failed business email compromise (BEC) attack from January.

Since its founding in 1972, the venture capital (VC) firm Sequoia has invested in a long list of high-profile companies (e.g., Apple, NVIDIA, Google, Oracle, Yahoo, LinkedIn, YouTube, Paypal, Electronic Arts, and Cisco).

The VC giant also backed many start-ups, including Airbnb, Dropbox, FireEye, Palo Alto Networks, Stripe, Square, and WhatsApp.

In total, the companies Sequoia has backed and invested in over the years now have an "aggregate, public market value of over $3.3 trillion."

Two months ago, the FBI warned US companies about scammers actively abusing email auto-forwarding rules to increase the BEC attacks' success rate.

BEC fraudsters use a combination of social engineering, phishing, and hacking to compromise business email accounts with the end goal of redirecting payments to bank accounts under their control.

Attackers gained access to employee's mailbox

"On or about January 20, 2021, we learned that an unauthorized third party had gained remote access to the business email mailbox of one Sequoia employee, with the apparent aim of conducting a wired version scam," Sequoia Capital explained in a notice of data breach sent to affected individuals.

While the attackers were able to breach the employee's email inbox, they didn't gain access to other resources or assets on the company's network.

"Our investigation has found no evidence of compromise beyond this single mailbox," Sequoia said.

Even though a single mailbox was impacted in the incident, the VC firm acknowledged that it might have allowed the threat actors to exfiltrate impacted individuals' personal information.

"The unauthorized access to the mailbox might have allowed the third party to acquire a copy of files including certain individuals’ personal information," Sequoia added.

"As part of our investigation, we have analyzed the contents of the affected email mailbox and determined that it contained your personal information and that the unauthorized third party might have accessed or acquired a copy of it."

Measures taken after the attack

After detecting the attack, Sequoia Capital hired external security experts to investigate the incident and secure its systems.

Sequoia said that it found no evidence that exfiltrated data was being sold or traded by cybercriminals on the dark web.

The company also informed relevant law enforcement authorities of the attack and has taken a series of measures to similar incidents in the future as it has:

• Identified and remediated the configuration that permitted the initial access;
• Deployed additional prevention and detection technology at multiple layers to improve visibility into anomalous user activity and malicious email content;
• Reviewed the methods we use to store and share sensitive information inside and outside the company, including email message forwarding rules; and
• Refreshed our security training with additional emphasis on phishing awareness and proper data handling.

Sequoia offers impacted individuals 24 months of free credit monitoring and identity theft protection through Experian.

Axios reported over the weekend about the VC firm informing investors that it was hacked and that their information might have been compromised as part of a data breach.

"We regret that this incident has occurred and have notified affected individuals," a Sequoia Capital spokesperson said. "We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats."