Block, the company headed by Jack Dorsey, has notified the Securities Exchange Commission, SEC, of an incident involving a former employee who downloaded the info of 8.2 million customers.
The information downloaded by the former employee concerned Block’s products like Cash App and Tidal. Block did not give the unnamed former employee permission, even though they had access to the info while carrying out their job duties.
The data in the reports included the full name and brokerage account number. Other customers had their brokerage portfolio value, holdings, and a day’s stock trading activities. The data breach occurred on December 10th last year.
However, Block clarified that the data did not contain usernames and passwords. The former employee also did not get access to Social Security numbers, date of birth, payment card info, or any other info that could be used to identify customers. As such, the Cash App accounts of the users affected are not compromised.
Block is contacting about 8.2 million users affected, including current and former customers to answer any questions they might have.
Speaking to The Verge, spokesperson for Cash App, Danika Owsley, said, “At Cash App we value customer trust and are committed to the security of customers’ information. Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
The notice Block sent to the SEC reads:
“On April 4, 2022, Block, Inc. (the “Company”) announced that it recently determined that a former employee downloaded certain reports of its subsidiary Cash App Investing LLC (“Cash App Investing”) on December 10, 2021 that contained some U.S. customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.
“The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.
“Upon discovery, the Company and its outside counsel launched an investigation with the help of a leading forensics firm. Cash App Investing is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions. The Company is also notifying the applicable regulatory authorities and has notified law enforcement.
“The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers. Future costs associated with this incident are difficult to predict. Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results.”