Block, the parent company of products like Cash App and Tidal, said in an SEC filing that a former employee downloaded “certain reports” that “contained some US customer information” without permission from Cash App Investing (via Protocol).
Data in the reports, which Block said were downloaded on December 10th, included “full name and brokerage account number” and for “some customers” included “brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.” The employee, who downloaded the data after they left the company, had access to the reports “as part of their past job responsibilities,” according to Block.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information,” Block said. “They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.” Block says it is contacting “approximately 8.2 million current and former customers” in regards to the incident.
“At Cash App we value customer trust and are committed to the security of customers’ information,” Cash App spokesperson Danika Owsley said in a statement to The Verge. “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Update April 5th, 7:34PM ET: Added Cash App statement.