Block Confirms Cash App Data Breach

Written by Edward Gately
April 6, 2022

Block, formerly Square, has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained customer information.

The company detailed the data breach in a U.S. Securities and Exchange Commission filing. On April 4, it reported learning a former employee downloaded certain reports of its subsidiary Cash App Investing on Dec. 10 that contained some U.S. customer information.

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” it said. “The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.”

The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information, Block said. They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features, and customers outside of the United States, were not impacted.

“Upon discovery, the company and its outside counsel launched an investigation with the help of a leading forensics firm,” Block said. “Cash App Investing is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions. The company is also notifying the applicable regulatory authorities and has notified law enforcement.”

Future costs associated with this incident are difficult to predict, Block said.

“Although the company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the company does not currently believe the incident will have a material impact on its business, operations or financial results,” it said.

Erich Kron is security awareness advocate at KnowBe4.

“This situation stresses the need for a well-defined employee offboarding process, and possibly even the dangers of shared passwords within organizations,” he said. “Without a strong offboarding process, accounts that should be disabled can easily be missed, leaving them open for abuse by ex-employees. Shared passwords are equally as dangerous, especially if they are not changed immediately after an employee leaves. It is not uncommon for ex-employees to feel entitled to information, including that of customers they worked with, or of intellectual property they worked on. Not removing access to this information quickly and efficiently can lead to employees returning to take it.”

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.