Sensitive information for more than eight million users of Cash App Investing – a stock trading app operated by Block, the owner of the Square payment system – was revealed when a former employee downloaded company reports after leaving the company.
Block disclosed the data exposure in a regulatory filing on Monday and said it was contacting affected customers.
“After discovery, we took steps to resolve this issue and launched an investigation with the help of a leading forensics firm,” said Fiona Lee, a spokeswoman for Block. “We know how these reports were consulted and we have notified law enforcement.”
The data exposed only related to users of Cash App’s investment product, not the personal payment service with about 44 million users, the company said.
The information was retrieved by the former employee in December and included customer names and the Cash App broker’s account numbers. For some clients, it also included their portfolio value, their holdings, and certain trading activities. The information did not include usernames, passwords, social security numbers and other personally identifiable details, Block said in his filing.
Companies that deal with financial data typically have strong internal systems to protect that information. Ms. Lee declined to comment specifically on how the former employee gained access and whether the company had made any adjustments since the breach was discovered.
“We continue to evaluate and strengthen administrative and technical safeguards to protect information,” she said in a written statement.
Financial companies that are not banks tend to be much less monitored by regulators on their security systems than highly regulated banks. Square last year obtained a banking charter for Square Financial Services, which allows it to offer a number of banking services, but that unit operates independently of Cash App.
The idea that a former employee could somehow sneak in meant something was going wrong. “To take customer data and security seriously, external access to employees’ accounts should be secured and that access disabled on termination, preferably before the employee leaves,” said James McQuiggan, security expert at KnowBe4, a training company. in the field of cybersecurity.
Cash App is one of the most popular person-to-person payment systems in the United States, after Zelle and PayPal’s Venmo. It has evolved into debit cards, merchant payment tools, and a tax preparation system that Block bought from Credit Karma. The data breach did not affect users of products other than the investment app, Block said.
Cash App Investing customers said on a Reddit forum that they had been emailed about the incident Monday. Many were annoyed by the breakup.
“Now the question is, have our names and account numbers been leaked to the dark web?” a user wrote.