Sensitive information for more than eight million users of Cash App Investing – a stock trading app run by Block, the owner of payment system Square – was exposed when a former employee uploaded company reports after leaving the company.
Block disclosed the data exposure in a regulatory filing on Monday and said it was contacting affected customers.
“Upon discovery, we took steps to address this issue and launched an investigation with the assistance of a leading forensic science firm,” Block spokeswoman Fiona Lee said. “We know how these reports were accessed and we have informed law enforcement.”
The data exposed only involved users of the Cash App investment product, not the person-to-person payment service with around 44 million users, the company said.
The information was retrieved by the former employee in December and included customer names and Cash App brokerage account numbers. For some clients, this also included the value of their portfolio, their holdings and certain trading activities. The information did not include usernames, passwords, social security numbers and other personally identifiable details, Block said in his filing.
Companies that process financial data typically have strong internal systems to protect that information. Ms Lee declined to comment specifically on how the former employee gained access and whether the company had made any adjustments since discovering the breach.
“We continue to review and strengthen administrative and technical safeguards to protect information,” she said in a written statement.
Financial firms that are not banks generally receive much less scrutiny from regulators regarding their security systems than tightly regulated banks. Square obtained a banking charter for Square Financial Services last year, which allows it to offer some banking services, but this unit operates independently of Cash App.
The idea that a former employee might have sneaked in somehow meant something had gone wrong. “Taking customer data and security seriously would require securing external access to employee accounts and disabling that access in the event of termination, preferably before the employee leaves,” said data expert James McQuiggan. security at KnowBe4, a cybersecurity training company.
Cash App is one of the most popular person-to-person payment systems in the United States, behind PayPal’s Zelle and Venmo. It grew to include debit cards, merchant payment tools, and a tax preparation system that Block purchased from Credit Karma. The data breach did not affect users of any product other than the investing app, Block said.
Cash App Investing clients said in a Reddit forum that they received email notifications about the incident on Monday. Many were angered by the breach.
“Now the question is whether or not our names and account numbers were leaked on the dark web?” a user wrote.