Millions of Cash App users may have fallen victim to a data breach
Cash App, a mobile payment service that allows users to transfer money to each other and invest in cryptocurrencies using only an app, has reportedly suffered a breach. As TechCrunch first reported, a former employee of the company had downloaded reports from Cash App containing personal information of U.S. customers. This was confirmed by Block, the company behind Cash App.
Block didn't specify how many customers were impacted by the data breach, but stated that it's currently contacting around 8.2 million current and former Cash App customers. According to the company, the stolen reports contained the full names and brokerage account numbers used for investing through Cash App by the users. Furthermore, the stolen reports included the value of some users' brokerage portfolios, brokerage portfolio holdings, and stock trading activity for a single trading day.
In a report sent to the Securities and Exchange Commission (SEC), Block stated that the former employee had accessed the reports on December 10. The company found out about the data breach four months later.
In the filing, Block said, “While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended." Block didn't say how long and why the former employee still had access to these reports after their employment had been terminated.
Danika Owsley, a Cash App spokesperson told in a statement, “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
If you happen to be among the affected Cash App users, don’t panic. According to Block, the stolen reports did not include usernames, passwords, Social Security numbers, payment card information, bank account details, or addresses.
In a report sent to the Securities and Exchange Commission (SEC), Block stated that the former employee had accessed the reports on December 10. The company found out about the data breach four months later.
In the filing, Block said, “While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended." Block didn't say how long and why the former employee still had access to these reports after their employment had been terminated.
Things that are NOT allowed: