Cash App is alerting 8.2 million existing and former US customers about a data breach after a former worker accessed their account information. Block, Inc., Cash App’s owner, disclosed in a Form 8-K SEC filing that the breach happened on December 10th, 2021, when a former employee downloaded internal Cash App reports while no longer working at the firm.
According to Block, the data included complete identities and brokerage account numbers linked with Cash App investing activity. Additional information, such as portfolio valuations, holdings, and perhaps trading activity for one trading day, was disclosed in the reports for some clients. TechCrunch reported that the data hack did not contain more sensitive information, such as passwords, Social Security numbers, or payment information.
Block’s Form 8-K filing reveals that the reports did not contain usernames or passwords, Social Security numbers, dates of birth, credit card information, addresses, bank account information, or other personally identifiable information. They also left out any security codes, access codes, or passwords that may be used to get into Cash App accounts. Additional Cash App products and capabilities (apart from stock activity) were unaffected, as were clients outside the United States.
A Cash App spokeswoman responded to demands for further information with the following statement:
“At Cash App we value customer trust and are committed to the security of customers’ information. Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Block said that they are informing the 8.2 million customers who have been affected by the hack in order to offer further information about the situation. The firm also claims that the hack was reported to regulatory agencies and law enforcement.