More than 8 million users of Cash App Investing could be affected by a data breach after a former employee of the company downloaded reports containing customer names and account numbers.
Block, the owner of the Square payments system, revealed the data breach in a regulatory filing on Monday and said it was contacting affected customers, The New York Times reported. The exposed data involved only users of Cash App’s investing product and not the person-to-person payment service that serves more than 44 million users, the newspaper reported.
According to Block, the former employee downloaded the reports on Dec. 10, 2021, according to the filing.
We have recently shared details of a security incident affecting some Cash App Investing customers. For more information, please visit our Help Center. https://t.co/0DVL0IZBiq
— Cash App Support (@CashSupport) April 5, 2022
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” Block stated in its report.
“Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm,” Block spokesperson Fiona Lee said in a statement. “We know how these reports were accessed, and we have notified law enforcement.”
Block said the reports did not contain user names, passwords, Social Security numbers, birth dates, payment-card information, bank account balanced or customer addresses, The Wall Street Journal reported.
Potentially 8.2 Cash App users could be affected by a data breach after an ex-employee downloaded reports in December. https://t.co/ThnrjypOv7
— USA TODAY (@USATODAY) April 6, 2022
Lee declined to comment specifically on how the former employee gained access to the information, the Times reported.
“We continue to review and strengthen administrative and technical safeguards to protect information,” Lee said in her statement.
Adam Darrah, director of intelligence services ZeroFox, a cybersecurity company, told USA Today that the breach should not directly affect users but could be a problem if that data is eventually stolen.
“This information by itself is not valuable. It has to be paired with other stuff,” Darrah told the newspaper. “Bad guys can then be more efficient in their illegal shenanigans, meaning breaking into an account and taking stuff out of an account.
“They’ll use their magic machines that they have to try to find specific accounts that they can break into. That’s the most likely endgame here.”
Block said it does not expect the breach to affect its financial performance, CBS News reported.
“Although the company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the company does not currently believe the incident will have a material impact on its business, operations or financial results,” Block’s filing stated.
©2022 Cox Media Group
