CashApp Customers Affected by Data Breach
8.2 Million US Customers Got Their Account Information Accessed.
Developed by Block, Inc., Cash App is a mobile payment service that enables customers to send money to one another using a mobile phone application. Currently, the service is only accessible in two countries: the United Kingdom and the United States.
Cash App is alerting 8.2 million current and past clients in the United States of a data breach that occurred as a result of a former employee gaining access to their account information.
During a Form 8-K SEC filing, Block, Inc., reported that the breach happened on December 10th, 2021, when a former employee obtained internal Cash App reports while no longer employed by the firm.
According to Block, the data included the complete identities of Cash App consumers as well as the brokerage account numbers linked with their investing activity on Cash App. For certain clients, more information was revealed in the reports, such as portfolio valuations, holdings, and perhaps trading activity for a single trading day, which was not previously disclosed.
The data breach did not contain more sensitive information such as passwords, Social Security numbers, or payment information, according to a report published by TechCrunch.
On April 4, 2022, Block, Inc. (the “Company”) announced that it recently determined that a former employee downloaded certain reports of its subsidiary Cash App Investing LLC (“Cash App Investing”) on December 10, 2021 that contained some U.S. customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.
The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.
The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.
Upon discovery, the Company and its outside counsel launched an investigation with the help of a leading forensics firm. Cash App Investing is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions. The Company is also notifying the applicable regulatory authorities and has notified law enforcement.
The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers. Future costs associated with this incident are difficult to predict. Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results.
The journalists at BleepingComputer were the ones that got a response from a CashApp representative.
At Cash App we value customer trust and are committed to the security of customers’ information. Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.
As BleepingComputer reports, the company stated that they notified regulation authorities and law enforcement about the breach.