Sensitive information for more than 8 million users of Cash App Investing – a block-run stock trading application, owner of Square Payment System – was leaked when a former employee downloaded corporate reports after leaving the company.
Block announced data exposure in a regulatory filing Monday, saying it was contacting affected customers.
“On discovery, we took steps to resolve the issue and began an investigation with the help of a leading forensic firm,” said Fiona Lee, a spokeswoman for the block. “We know how these reports were accessed, and we have notified law enforcement.”
The company said the open data only includes users of the Cash app’s investment product, not the person-to-person payment service, with about 44 million users.
The information was retrieved by a former employee in December and included the customer’s name and the Cash App brokerage account number. For some clients, this includes their portfolio value, their holdings, and specific trading activity. The information does not include the user’s name, password, social security number and other personally identifiable details, Block said in his filing.
Companies dealing with financial data usually have robust internal systems to protect that information. Ms. Lee declined to comment specifically on how the former employee gained access and whether the company has made adjustments since the breach was discovered.
“We continue to review and strengthen administrative and technical security to protect information,” she said in a written statement.
Financial companies that are not banks generally face much less scrutiny by regulators about their security systems than tightly regulated banks. Square obtained a banking charter for Square Financial Services last year, which allows it to offer certain banking services, but the unit operates independently of the Cash app.
The idea that the former employee was somehow able to sneak inside meant something was badly messed up. “Taking customer data and security seriously will require securing external access to employees’ accounts and disabling that access upon termination, preferably before the employee leaves,” said James McQueen, a security expert at KnowBe4, a cybersecurity training company.
The Cash app is one of the most popular person-to-person payment systems in the United States, behind Zelle and PayPal’s Venmo. It has evolved to include debit cards, merchant payment instruments and the tax-preparation system that the block bought from Credit Karma. Block said the data breach did not affect users of any products other than the investment app.
Customers who invested in the Cash app said in a Reddit forum that they received an email notice on Monday about the incident. Many were offended by the violation.
“Now the question is, were our names and account numbers leaked on the Dark Web?” One user wrote.