Sequoia Capital discloses data breach after failed BEC attack

Attacker was only able to access the inbox of one employee

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The US venture capital firmSequoia Capitalhas published a notice of data breach after a hacker was able to gain access to the inbox of one of its employees as part of an unsuccessful business email compromise (BEC) attack that took place back in January.

Sequoia Capital has been around since 1972 and over the years it has invested in a number of high-profile tech companies includingApple,Nvidia,Google, Oracle, Cisco and more as well as numerous startups such as Airbnb, Dropbox, FireEye, Stripe, Square andWhatsApp.

Back in December of last year, the FBI sent out aPrivate Industry Notification(PIN) warning US businesses that cybercriminals has begun to abuse auto-forwarding rules in web-basedemail clientsto increase the chances of success of their BEC attacks.

It seems Sequoia Capital should have heeded this warning as this exact technique was used by an attacker to gain access to its data and almost to its network.

Failed BEC attack

In anotice of data breachsent to those affected by the failed BEC attack, Sequoia Capital explained the steps it took once it learned that an unauthorized third party had gained access to one of its employee’s email accounts, saying:

“On or about January 20, 2021, we learned that an unauthorized third party had gained remote access to the business email mailbox of one Sequoia employee, with the apparent aim of conducting a wire diversion scam. Our investigation has found no evidence of compromise beyond this single mailbox. We quickly took steps to secure our network and began to investigate the incident with the support of outside cybersecurity experts.”

Thankfully the attacker was only able to breach one employee’s inbox and they did not gain access to any other resources or assets on Sequoia Capital’s network. However, the company did say that thepersonal informationof fewer than 1,000 Californian residents may have been exposed in the attack.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The security experts hired by Sequoia Capital also found no evidence that this personal data was being sold or traded by cybercriminals on thedark web. To protect those whose information may have been exposed, the company is offering 24 months of free credit monitoring andidentity theft protectionfromExperian.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

The Galaxy S25 Ultra’s rumored iPhone-beating power could tempt me back to Android