A leading venture capital firm based in California’s Silicon Valley has fallen victim to a cyber-attack.
According to Axios, Sequoia Capital contacted investors on Friday, February 19, to inform them that their financial data and personal information had been accessed by an unauthorized third party. The data breach occurred after the email account belonging to an employee at the firm was compromised in a phishing attack.
Sequoia Capital is run from offices on Sand Hill Road in Menlo Park. Companies that the firm has invested in include Airbnb, DoorDash, 23andMe, GitHub, Google, Zoom, WhatsApp, YouTube, and Robinhood, and cybersecurity firms Carbon Black, Tessian, and FireEye.
The 49-year-old firm said law enforcement had been notified of the security breach and that IT specialists had been hired to investigate what happened and restore cybersecurity to the company.
“We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems,” said a Sequoia spokesperson.
“We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats.”
Sequoia Capital, which Pitchbook data states has more than $38bn in assets under management, said it had found no evidence that any investor data compromised in the incident has been misused.
“Phishing attacks are a real threat for many organizations. However, not all phishing security incidents are equal and successful phishing attacks that compromise employees with privileged access or access to privileged data can have a serious impact either from ransomware or data theft,” Joseph Carson, chief security scientist and advisory CISO at Thycotic told Infosecurity Magazine.
“The latest news regarding Sequoia Capital shows that privileged access continues to be a major challenge for organizations and how critical it is to protect privileged access and access to privileged data,” Carson said. “Privileged access is no longer just about domain admins . . . [I]t is also important to consider business users who have access to sensitive data as privileged access.”