Block, the company formerly known as Square. Inc., has disclosed that customers of its mobile payment service, Cash App, may have been subjects of a large-scale security breach.
In a filing with the Security and Exchange (SEC) on Monday, Block revealed that a former Cash App employee is understood to be responsible for the leak, bypassing security measures.
Full names and brokerage account numbers were among the compromised data. Since the official SEC filing went live, roughly 8.2 current and former Cash App customers have been notified about the incident.
Cash App Suffers Data Breach
Cash App is a peer-to-peer payment app that has also recently introduced investing and Bitcoin features. According to Block's April 4th filing to the SEC, the San Francisco-based company had its files compromised on December 10th, when a former employee downloaded reports without Block's permission.
The SEC filing reveals that as part of their job responsibilities, the employee had regular access to these reports. However, it asserts that “in this instance these reports were accessed without permission after their employment ended.”
In a statement released by the company, they added “We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Besides contacting the police, Block also decided to launch its own investigation with the support of a leading forensic firm. While the investigation is still ongoing, the company is confident that the event will have no material impact on its business, operations, or finances.
What Cash App Should Users Know About the Breach
If you're one of Cash Apps' 24 million users, here are the key things you should know about the leak:
What Cash App data was accessed?
According to the official filing, the information in the stolen reports included users' full names, brokerage account numbers, and unique Cash App Investing numbers. For a select number of customers, brokerage portfolio values, brokerage portfolio holding, and stock trading activity for one day were compromised too.
Fortunately, other than full names, other personally identifiable information like usernames, dates of birth, Social Security numbers, addresses, and payment information was not included in the breach. Security codes linked to the Cash App account such as security codes, access codes, and passwords were also not accessed.
Which Cash App customers were affected?
The SEC filing explains that the breach will only impact customers who use Cash Apps stocks feature, Cash App Invest.
Block hasn't confirmed how many users they suspect have been involved in the data breach, but they are in the process of contacting 8.2 million former and current Cash App users to provide them with information regarding the incident and to answer any queries they may have.
Insider Threats Are On The Rise – Here's What You Can Do
Fortunately, it's unlikely that many Cash App users will feel the repercussions of this data leak directly. However, with other major companies like Google and Snapchat also suffering at the hand of insiders in recent years, the threat of internal attacks clearly isn't disappearing soon.
Small businesses aren't exempt from these risks either. According to a report by Forrester, 61% of US businesses fell victim to an insider data breach in 2020. And as instances appear to rise year on year, now isn't the time for businesses to become complacent.
If your company is serious about keeping threats out, and sensitive information in – there are preventative measures you can take.
- Vet new employees – Simple background checks can help you to determine whether your new staff member can be trusted with sensitive information.
- Remove access for prior employees – Staff who have left the company should have any associated accounts instantly removed.
- Monitor suspicious behavior – Keeping an eye out for red flags can help you to prevent malicious activity before it takes place.
- Dispose of hardware properly – Old hard disks often contain sensitive information. Make sure you wipe their information and dispose of them correctly when they are no longer in use.
- Use security software – By deploying various anti-threat software, including endpoint protection systems, password managers, and data loss prevention systems, you can make it harder for current and former employees to compromise your data.