Data breach potentially affected over 8 million Cash App users after a former employee downloaded customer information on December 10, 2021.
In a regulatory filing with the United States Securities and Exchange Commission (SEC), Cash App’s parent company Block said it discovered the intrusion in December 2021.
According to Block’s disclosure, the former employee, who had access to the information during his tenure, downloaded data for customers who use the Cash App Investing stock function.
Cash App Investing is a stock trading platform by Block (formerly Square Inc.), owned by Twitter co-founder Jack Dorsey. Block also owns Cash App peer-to-peer payment platform, Tidal music streaming services, and Spiral cryptocurrency app.
Cash App is only available in the United States and the United Kingdom and had about 44 million users in 2019.
Cash App parent company Block confirms a data breach
The San Francisco, California-based financial services company said it notified law enforcement after its investigation determined how the former employee illegally accessed the records.
“Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm,” Block’s spokeswoman Fiona Lee said. “We know how these reports were accessed, and we have notified law enforcement.”
Cash App did not disclose how the former employer gained access to the information but it is likely that he had access to the data long after leaving the company.
“The statement released does not go into detail about the way the records were accessed by the former employee, but from my experience, I believe it’s possible that the breach could have come from an orphaned account still active on a third-party SaaS application like a cloud storage solution,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel said.
Such mishaps may also occur when there is a lack of proper communication between the Human Resources and the IT department on the status of terminated employees.
“Insider threats are a critical cybersecurity risk,” said Keith Neilson, Technical Evangelist at CloudSphere. “In this case, a former employee at Block secured access to confidential reports following their departure from the company.
“When companies lack visibility into their IT infrastructure, employees and former employees often have extended access to sensitive company data, opening the door to both malicious and accidental cybersecurity incidents.”
Nelson advised companies to take inventory of their cyber assets and establish real-time visibility of the attack surface to enforce security.
Erich Kron, a security awareness advocate at KnowBe4, said that the data breach underscores the need for a “well-defined employee offboarding process.”
He noted that some former employees feel entitled to information and intellectual property they helped to create. Thus, the failure to remove their access could allow them to return and take it.
“Without a strong offboarding process, accounts that should be disabled can easily be missed, leaving them open for abuse by ex-employees,” Kron said. “Shared passwords are equally as dangerous, especially if they are not changed immediately after an employee leaves.”
However, Block promised to continue reviewing and strengthening administrative and technical safeguards to protect information.
Additionally, the company said it would contact current and former app users and provide resources for navigating the breach. Subsequently, Cash App Investing users confirmed on social media receiving a notification titled “Important Account Notice – Cash App Investing“.
Cash App Investing data breach will not affect business operations
Block indicated that the data breach did not expose sensitive customer information such as usernames, passwords, bank account information, or social security numbers.
The unauthorized former employee also did not access security codes, access codes, and passwords for authenticating on the Cash App accounts.
According to Block’s statement, the breach did not affect other Cash App features or users outside the United States.
However, the data breach exposed full names and brokerage account numbers associated with Cash App Investing user’s activity. The illegal access also exposed users’ brokerage portfolio value, brokerage portfolio holdings, and/or daily stock trading activity for some users, according to the SEC filing.
Although an investigation was still in progress, Block hinted that the future cost of the data breach was currently difficult to predict. However, the company does not anticipate that the data breach would affect its business operations or financial results.