Block, the financial services and digital payments company formerly known as Square, has announced that Cash App suffered a data breach last December. Block submitted a filing to the Securities and Exchange Commission (SEC) this Monday acknowledging the breach. The filing reveals that a former employee accessed reports containing US customer information. This occurred on December 10th, 2021, after the employee had left the company.
Cash App breach affects over 8 million users
In the filing, Block explained that the employee “had regular access to these reports as part of their past job responsibilities.” The problem is that they once again accessed these highly sensitive reports after their employment ended.
Block confirmed that the reports contained full names and brokerage account numbers for US customers. The brokerage account numbers are unique IDs associated with a customer’s stock activity on Cash App Investing. Brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day were also in some reports.
The reports did not include any other personally identifiable information. This includes any usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, and bank account information. They didn’t feature any security codes or access codes either. And the breach did not impact customers outside of the US.
Block says that it has launched an investigation with the help of a leading forensics firm. The company didn’t say how many customers were impacted. But it will contact 8.2 million current and former customers to inform them about the breach.
What comes next
There is still a great deal we don’t know about the incident. It took four months for Block to discover the Cash App data breach. It’s unclear what the former Cash App employee did with the information from the reports. Block did note that the incident shouldn’t have “a material impact on its business, operations, or financial results.”
As for Block’s next steps, the company shared the following statement in its filing:
The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers. Future costs associated with this incident are difficult to predict. Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results.
We hope to hear more from Block in the near future. In the meantime, if you’ve used Cash App Investing in the past, be on the lookout for an email from the company. Block says it will share information about the breach and resources to answer questions.