Block has confirmed a data breach involving a former employee who downloaded reports from Cash App that contained some U.S. customer information.
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the filing reads. Block refused to answer our questions about why a former employee still had access to this data, and for how long they retained access after their employment at the company had ended.
The information in the reports included users’ full names and brokerage account numbers, and for some customers the accessed data also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day.
The San Francisco-based company declined to say how many Cash App customers were impacted by the breach but said it’s contacting approximately 8.2 million current and former customers about the incident.
Block says no other personally identifiable information, beyond names, were accessed — such as usernames or passwords, Social Security numbers, payment card information or addresses were included in reports, The filing notes that other Cash App products and features and customers outside of the U.S. were not impacted.
Following its discovery of the incident four months after the fact, the company has launched an internal investigation and says it is notifying the applicable regulatory authorities and law enforcement.
“At Cash App we value customer trust and are committed to the security of customers’ information,” Cash App spokesperson Danika Owsley told TechCrunch in a statement. “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
TechCrunch sent Block additional questions regarding the scope of the incident, but the company declined to answer.