The data breach potentially affected more than 8 million Cash App users after a former employee uploaded customer information on December 10, 2021.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), Cash App’s parent company, Block, said it discovered the breach in December 2021.
According to Block’s disclosure, the former employee, who had access to the information during his tenure, uploaded data for clients who use the Stock Cash App Investing feature.
Cash App Investing is a stock trading platform from Block (formerly Square Inc.), owned by Twitter co-founder Jack Dorsey. Block also owns peer-to-peer payment platform Cash App, music streaming services Tidal, and cryptocurrency app Spiral.
Cash App is only available in the US and UK and had around 44 million users in 2019.
Block, the parent company of Cash App, confirms a data breach
The San Francisco, Calif.-based financial services firm said it notified law enforcement after its investigation determined how the former employee illegally accessed records.
“Following the discovery, we took steps to address this issue and launched an investigation with the assistance of a leading forensics firm,” Block spokeswoman Fiona Lee said. “We know how these reports were accessed and we have informed law enforcement.”
Cash App did not disclose how the former employer gained access to the information, but it is likely that he gained access to the data long after he left the company.
“The published statement does not go into detail about how the records were accessed by the former employee, but based on my experience, I believe it is possible that the breach stemmed from an orphan account still active on a third-party SaaS application like a cloud storage solution,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel mentioned.
Such incidents can also occur when there is a lack of adequate communication between Human Resources and IT on the status of terminated employees.
“Insider threats are a critical cybersecurity risk,” said Keith Neilson, Technical Evangelist at CloudSphere. “In this case, a former Block employee was granted access to confidential reports after he left the company.
“When companies lack visibility into their IT infrastructure, employees and former employees often have extensive access to sensitive corporate data, opening the door to malicious and accidental cybersecurity incidents.”
Nelson advised companies to take inventory of their cyber assets and establish real-time visibility of the attack surface to strengthen security.
Erich Kron, Security Awareness Advocate at KnowBe4said the data breach underscores the need for a “well-defined employee relocation process.”
He noted that some former employees believe they have a right to access the information and intellectual property they helped create. So, not removing their access could allow them to come back and take it.
“Without a robust relocation process, accounts that should be deactivated can easily be missed, leaving them open to abuse by former employees,” Kron said. “Shared passwords are just as dangerous, especially if not changed immediately after an employee leaves.”
However, Block promised to continue to review and strengthen administrative and technical safeguards to protect information.
Additionally, the company said it will reach out to current and former users of the app and provide resources to navigate the breach. Subsequently, Cash App Investing users confirmed on social media that they received a notification titled “Important Account Notice – Cash App Investing“.
Cash App Investing Data Breach Won’t Affect Business Operations
Block said the data breach did not reveal sensitive customer information such as usernames, passwords, bank account information or social security numbers.
The former unauthorized employee also did not access security codes, passcodes and passwords to authenticate to the Cash App accounts.
According to Block’s statement, the breach did not affect other Cash App features or users outside of the United States.
However, the data breach exposed the full names and brokerage account numbers associated with the Cash App Investing user activity. The illegal access also exposed users’ brokerage portfolio value, brokerage portfolio holdings, and/or daily stock trading activity for some users, according to the SEC filing.
Although an investigation is still ongoing, Block suggested that the future cost of the data breach is currently difficult to predict. However, the company does not expect the data breach to affect its business operations or financial results.