Cash App had a security breach last year that affected some U.S. customers
Cash App is one of the most popular services for sending money over the internet, especially in the United States. It’s developed by Block, Inc, the same company behind the Square payments platform, and a new regulatory document published by Block reveals it had a security breach last year.
Block, Inc submitted a Form 8-K to the United States Securities and Exchange Commission (SEC) on Monday, which is required when certain events occur at companies with shareholders. Block states that it discovered a former employee downloaded reports that contained some information from U.S. customers of Cash app. The company said, “while this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”
The affected data included full name and brokerage account numbers, and also the brokerage portfolio values and trading activity for one day. Cash App allows people to buy and sell stocks (and the Bitcoin cryptocurrency), in addition to its original purpose of sending money to other people. The company said the accessed reports did not include usernames, passwords, Social Security numbers, date of birth, payment cards, or other personally-identifiable information.
TechCrunch contacted Block to request how the former employee retained access to financial reports, and what the exact scope of the incident was, but the company declined to answer. A spokesperson for Cash App told TechCrunch, “At Cash App we value customer trust and are committed to the security of customers’ information. Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Cash App is currently contacting roughly 8.2 million current and former customers to inform them about the breach, though it’s not clear if every single one of those people were affected. Block says it is still investigating the incident, so the company itself might not even know the specific customers affected right now.