Sensitive information for more than eight million users of Cash App Investing — a stock trading app run by Block, the owner of the Square payments system — was exposed when a former employee downloaded corporate reports after leaving the company.
Block revealed the data exposure in a regulatory filing on Monday, and said it was contacting the affected customers.
“Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm,” Fiona Lee, a Block spokeswoman, said. “We know how these reports were accessed, and we have notified law enforcement.”
The exposed data involved only users of Cash App’s investing product, not the person-to-person payment service with roughly 44 million users, the company said.
The information was retrieved by the former employee in December and included customers’ names and Cash App brokerage account numbers. For some customers, it also included their portfolio value, their holdings and certain trading activity. The information did not include user names, passwords, Social Security numbers and other personally identifiable details, Block said in its filing.
Companies that deal with financial data typically have strong internal systems to protect that information. Ms. Lee declined to comment specifically on how the former employee gained access and whether the company had made adjustments since the breach was discovered.
“We continue to review and strengthen administrative and technical safeguards to protect information,” she said in a written statement.
Financial companies that are not banks typically face far less scrutiny from regulators about their security systems than tightly regulated banks. Square obtained a banking charter last year for Square Financial Services, which allows it to offer some banking services, but that unit operates independently from Cash App.
The idea that a former employee was somehow able to sneak in meant something went badly awry. “Taking customers’ data and security seriously would require securing external access to employees’ accounts and disabling that access upon termination, preferably before the employee leaves,” said James McQuiggan, a security expert at KnowBe4, a cybersecurity training company.
Cash App is one of the most popular person-to-person payment systems in the United States, trailing Zelle and PayPal’s Venmo. It has grown to include debit cards, merchant payment tools and a tax-preparation system that Block bought from Credit Karma. The data breach did not affect users of any products other than the investing app, Block said.
Cash App Investing customers said in a Reddit forum that they had received emailed notices on Monday about the incident. Many were irked by the breach.
“Now the question is whether or not our names and accounts numbers were leaked to the dark web?” one user wrote.
