Mobile payments service Cash App announced on Wednesday that more than 8 million of its users could be affected in a data breach carried out by an ex-employee.
The former employee downloaded records customer names and account numbers from Cash App Investing.
The mobile payments app, which is owned by Block – formerly known as Square – is now notifying customers of the breach. Block is a financial payments company headed by Twitter co-founder Jack Dorsey.
In an April 4 filing, Block reported the data breach to the Securities and Exchange Commission (SEC).
Block said in the filing that it “recently determined that a former employee downloaded certain reports” belonging to Cash App. That information included users’ full names and brokerage account numbers, a unique identifier for a person’s stock activity on Cash App Investing. For some customers, the compromised data also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day,” according to Block.
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the company said.
The SEC filing stated that no personally identifiable information was taken. Block said that customer user names, passwords, Social Security numbers, dates of birth and access codes were not compromised. The breach only affected U.S. customers.
It also stated that the employee accessed investment reports of the company’s Cash App on December 10, 2021.
The company is investigating the incident and has notified law enforcement. Cash App saw 44 million transactions in December 2021, according to the company’s fourth-quarter results.
“Although the company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the company does not currently believe the incident will have a material impact on its business, operations or financial results,” the filing said.
The company said in a statement: “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect the information.”