After receiving an unsolicited email from an unknown threat actor on November 13, 2022 alleging access to certain Sonder information, Sonder immediately commenced an investigation and confirmed, on November 14, 2022, that one of its Amazon Web Services (“AWS”) accounts had been subject to unauthorized access. Sonder took immediate steps to contain the event, including making sure that the unauthorized individual no longer had access to the AWS account, verifying that operations were not affected, and investigating the scope and impact of the incident. Sonder also engaged leading security and forensic specialists to assist in its investigation and response to the incident. Based on the investigation, the initial access to the AWS account by the threat actor appears to have been on May 21, 2022. The threat actor accessed the AWS account a limited number of times thereafter, the last access taking place on November 14, 2022
What information was exposed?
The investigation determined that certain guest records were involved in this incident, including guests’ full name, address, email address, phone number, date of birth, last four digits of credit card number, username, guest transaction receipts, IP address, and dates booked for past stays at Sonder properties. For a limited number of guests, copies of government issued photo identification were also involved.
Is my information impacted?
Information associated with guest accounts created prior to October 1, 2021 were involved in this incident. Additionally, Sonder identified certain copies of government-issued photo identification such as driver’s licenses or passports may have been accessed for a limited number of guest records.
We are notifying and making services available to guests whose information was involved in this incident, such as credit monitoring, identity monitoring, or WebWatcher services, which includes monitoring of internet sites where personal information may be shared and generates an alert to the guest if evidence of their personal information is found.
My Sonder account was created after November 14, 2022. Does that mean I am not impacted?
Correct. We have no evidence to indicate that accounts created after November 14, 2022 were affected.
How can I have my information removed from the Sonder systems or delete my Sonder account?
You may request the deletion of the information in your Sonder account by contacting us at [email protected].
Is my Sonder data secure?
Sonder is committed to its guests and worked to resolve this incident quickly. Sonder is very concerned with safeguarding your personal information. When you enter particularly sensitive information (such as a credit card number) on our registration or reservation forms, we encrypt that information using secure socket layer technology (SSL). We follow generally accepted industry standards to protect the Personal Information submitted to us, both during transmission and once we receive it.
Why didn’t you tell affected individuals about the loss of the data sooner?
Upon this discovery, the Company took swift action. The Company took steps to contain the event, including making sure that the unauthorized individual no longer had access to Sonder systems, verifying that operations were not affected, and investigating the scope and impact of the incident. The Company also engaged leading security and forensic specialists to assist in its investigation and response to the incident. Due to the complex and unstructured nature of the data involved, it took considerable time and effort to parse through and identify the data at issue and to whom such data relates
While the investigation remained ongoing, Sonder immediately issued a press release and took the following steps to help impacted guests monitor and protect their information:
- Launched a dedicated page at blog.sonder.com for guests who have questions about this incident.
- Sonder notified and provided services to guests whose sensitive information was involved in this incident, such as credit monitoring, identity protection, or WebWatcher services, which includes monitoring of internet sites where personal information may be shared and generates an alert to the guest if evidence of their personal information is found.
Who should I contact if I have questions?
Please contact [email protected] or call 1-855-504-2761 (U.S., Canada, Mexico) or +44 20 7570 0344 (Europe and all other regions).
What are the risks of identity theft with the information that was exposed?
Receiving a notice of this incident does not mean that you are, or will be, a victim of identity theft. At this time, we have no evidence to indicate that your information has been misused. However, we recommend regularly reviewing and monitoring account statements and credit history to guard against any unauthorized transactions or activity.
What other steps can I take?
You may also take advantage of your rights to the free fraud alert services offered by the three major credit bureaus, should you feel it appropriate to do so. Placing fraud alerts will provide your credit with additional protection. In addition, doing so will give you access to copies of each of your credit reports at no cost to you.
A security freeze will prevent lenders and others from accessing your credit report completely.