Approximately 8.2 million U.S. customers of Cash App Investing have been notified of a data breach carried out by a former employee of the mobile payment service provider.
Block, Cash App’s parent company, disclosed the breach in a regulatory filing with the Securities and Exchange Commission on Monday. The unauthorized access occurred Dec. 10, 2021, and the information exposed included current and former customer full names, brokerage account numbers, brokerage portfolio values, brokerage portfolio holdings, and/or stock trading activity for one trading day.
Usernames, passwords, Social Security numbers, dates of birth, payment card information, addresses, bank account information, or any other personally identifiable information were not exposed in the breach, according to Block.
Most notable was that the unnamed individual accessed the information after his or her employment with the company ended. The individual “had regular access to these reports as part of their past job responsibilities,” Block stated, suggesting those permissions were not revoked in a timely manner upon his or her departure.
Block noted the company and its outside counsel have launched an investigation into the matter that is ongoing. The company said it is notifying applicable regulatory authorities and law enforcement.
“The company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers. Future costs associated with this incident are difficult to predict,” Block said. “… [B]ased on its preliminary assessment and on the information currently known, the company does not currently believe the incident will have a material impact on its business, operations, or financial results.”