Block says former Cash App employee accessed data from US customer accounts
In an SEC filing on Monday, digital financial services company Block said a former employee for its subsidiary Cash App Investing accessed and downloaded the personal information of customers based in the US.
The company said it determined the employee accessed the information on December 10, 2021 and explained that they are contacting about 8.2 million current and former customers to provide them with information about this incident.
In a statement to The Record, Block spokesperson Danika Owsley said law enforcement has been notified. The company would not answer further questions about how the breach was discovered.
In the filing, Block said the employee “had regular access to these reports as part of their past job responsibilities,” but explained that the reports “were accessed without permission after their employment ended.”
“The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day,” the company said.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts.”
The company claims it launched an investigation after it discovered what happened and hired a forensics firm to help.
According to their statement, they plan to “review and strengthen administrative and technical safeguards to protect the information of its customers.”
The company could not put a monetary value on the incident, writing that any future costs related to it are “difficult to predict.”
“Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results,” the company said.
Dina Temple-Raston is the host and executive producer of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”