CashApp Data Breach: Block Employee Download Reports Containing Consumer Data | Console and Associates, PC

On April 4, 2022, Block, Inc. (formerly Square, Inc.) confirmed that a former employee uploaded Cash App reports containing sensitive information belonging to US customers. The data affected by the breach includes users’ full names, brokerage account numbers, brokerage portfolio value, brokerage portfolio holdings, and/or stock trading activity during a trading day.

“I talk to data breach victims almost every day, and many don’t fully understand the impact a breach can have,” said attorney Richard P. Console, Jr.. “Once your sensitive personal data falls into the hands of cybercriminals, you are at a much higher risk of identity theft for the rest of your life.If a company allows your personal data to be stolen, hold that company accountable through a class action lawsuit may be the only way to get fair compensation and send a message to other companies to be more careful.

Learn more about the Block CashApp data breach

In a filing with the Security and Exchange Commission on April 4, 2022, Block confirmed details of the data breach. Clearly, the breach involved a former employee who regularly accessed CashApp reports while employed. On December 10, 2021, after the employee stopped working for the company, he downloaded some CashApp reports containing sensitive information belonging to users.

In response to this discovery, Block conducted a review of the leaked reports. The company explained that it is in the process of reaching out to the app’s 8.2 million current and former users to let them know about the breach, the information compromised, and steps they can take to reduce the risk of it. fraud or unauthorized access to their accounts.

CashApp reports contained users’ full names, brokerage account numbers, brokerage portfolio value, brokerage portfolio holdings, and/or stock trading activity for a trading day. The company explained that none of the leaked reports contained social security numbers, dates of birth, payment card information, addresses, bank account information or any other personally identifiable information.

Block, Inc., formerly known as Square, Inc., is a financial technology and digital payments company based in San Francisco, California. The company owns various businesses, including Square, CashApp, Afterpay, Weebly, and Tidal. Block, Inc. has approximately 8,500 employees and generates approximately $17 billion in annual revenue.

What are consumer remedies following the CashApp data breach?

When customers decided to do business with CashApp, they assumed the company would take their privacy concerns seriously. And it goes without saying that consumers would think twice about giving a company access to their information if they knew it wouldn’t be secure. Thus, data breaches such as this raise questions about the adequacy of a company’s data security system.

When a business, government entity, nonprofit, school, or other organization accepts and stores consumer data, it also accepts a legal obligation to ensure that this information is kept private. US data breach laws allow consumers to pursue civil data breach claims against organizations that fail to protect their information.

Of course, given the recentness of Block’s data breach, the investigation into the incident is still in its early stages. And, at this time, there is no evidence yet to suggest that CashApp is legally responsible for the breach. However, that may change as more information about the breach and its causes comes to light.

If you have questions about your ability to bring a data breach class action lawsuit against Block, contact a data breach attorney as soon as possible.

What should you do if you receive a bulk data breach notification?

If Block sends you a data breach notification letter, you are among those whose information was compromised in the recent breach. Although this is not the time to panic, the situation deserves your attention. Below are some important steps you can take to protect yourself against identity theft and other fraudulent activity:

  1. Identify compromised information: The first thing to do after becoming aware of a data breach is to carefully review the data breach letter sent. The letter will tell you what information about you was accessible to the unauthorized party. Be sure to make a copy of the letter and keep it for your records. If you’re having trouble understanding the letter or what steps you can take to protect yourself, a data breach attorney can help.

  2. Limit future access to your accounts: Once you’ve determined what information about you was affected by the breach, the safest game is to assume that the hacker who orchestrated the attack stole your data. Although this is not the case, prevention is better than cure. To prevent future access to your accounts, you must change all passwords and security questions for any online account. This includes online banking accounts, credit card accounts, online shopping accounts, and any other accounts that contain your personal information. You should also consider changing your social media account passwords and setting up multi-factor authentication where available.

  3. Protect your credit and financial accounts: After a data breach, companies often provide affected parties with free credit monitoring services. Signing up for free credit monitoring offers important protections and does not affect any of your rights to bring a data breach lawsuit against the company if it is found to be legally responsible for the violation. You should contact a credit bureau to request a copy of your credit file, even if you notice no signs of fraud or unauthorized activity. Adding a fraud alert to your account will provide you with additional protection.

  4. Consider implementing a credit freeze: A credit freeze prevents anyone from accessing your credit file. Credit freezes are free and remain in effect until you remove them. Once a credit freeze is in place, you can temporarily lift it if you need to apply for any type of credit. While freezing credit on your accounts may seem like overkill, given the risks involved, it’s warranted. According to the Identity Theft Resource Center (“ITRC”), freezing credit on your account is “the most effective way to prevent a new credit/financial account from being opened.” However, only 3% of data breach victims freeze their accounts.

  5. Monitor your credit report and financial accounts regularly: Protecting yourself following a data breach requires continuous effort on your part. You should regularly check your credit report and all financial account statements for any signs of unauthorized activity or fraud. You should also call your banks and credit card companies to report that your information has been compromised in a data breach.

Below is a copy of Block, Inc.’s recent SEC filing:

On April 4, 2022, Block, Inc. (the “Company”) announced that it had recently determined that a former employee had uploaded certain reports of its subsidiary Cash App Investing LLC (“Cash App Investing”) on December 10, 2021 that contained US Customer Information. Although this employee had regular access to these reports as part of his previous job responsibilities, in this case, these reports were accessed without authorization after his employment ended.

Information in the reports included full name and brokerage account number (this is the unique identification number associated with a client’s trading activity on Cash App Investing), and for some clients also included brokerage book value, brokerage book holdings and/or stock trading activity. for a trading day.

The reports did not include usernames or passwords, social security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They have also not included any security codes, passcodes or passwords used to access Cash App accounts. Other Cash App products and functionality (other than trading activity) and customers outside of the United States were unaffected.

Upon discovery, the Company and its outside counsel launched an investigation with the assistance of a leading forensic science firm. Cash App Investing is contacting approximately 8.2 million current and former clients to provide information about this incident and to share resources with them to answer their questions. The Company is also notifying the relevant regulatory authorities and has notified law enforcement.

The Company takes the security of customer information very seriously and continues to review and strengthen administrative and technical safeguards to protect customer information. Future costs associated with this incident are difficult to predict. Although the Company has not yet completed its investigation into the incident, based on its preliminary assessment and information currently known, the Company does not currently believe that the incident will have a material impact on its business, operations or its financial results.

Comments are closed.