In brief: Block, the company that used to be called Square and is responsible for the Cash App payment service, has confirmed a data breach was carried out by a former employee who accessed US customer records.
Block revealed the Cash App breach in a regulatory filing with the Securities and Exchange Commission (SEC) on April 4, writes TechCrunch. It said an ex-employee accessed the customer reports on December 10.
"While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended," the filing reads.
The accessed reports included customers' full names and brokerage account numbers. There was also brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day in the data, though only in some cases.
Block emphasized that no personally identifiable information, other than names, was exposed—usernames, passwords, Social Security numbers, payment card information, bank account details, and addresses were not accessed. Additionally, only customers in the US were affected.
Block never specified exactly how many people were impacted by the breach, but it did confirm it was contacting around 8.2 million current and former customers about the incident.
"Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. In addition, we continue to review and strengthen administrative and technical safeguards to protect information," Block said in a statement.
Block shares fell 7% from $145 to $135 yesterday following news of the breach.
The 8.2 million people affected in this case is more than the Robin Hood security incident from last November that led to the personal information of no less than 7 million users being exposed. But it pales in comparison with some of the bigger breaches we've seen over the years, such as the T-Mobile hack that impacted 48 million customers or the MGM breach that saw 142 million hotel guest details appear on the dark web.
Masthead image: Tech Daily