Payments giant Block is being taken to court by former customers who claim its negligence led to an insider stealing their personal information last year.
A December 2021 breach at the firm’s subsidiary Cash App enabled a former employee at the firm to steal the personal information of over eight million customers.
This week, lawyers for two of those victims filed a class action lawsuit in the Northern District of California.
They’re alleging that Block “failed to maintain reasonable and adequate data security measures to safeguard customers’ private information,” which ultimately enabled the unauthorized insider access.
The plaintiffs are also arguing that the four-month delay between the breach and Block’s notification to the Securities and Exchange Commission (SEC) was unreasonably long, and that when it came, “the defendant’s notice of the data breach was not just untimely but woefully deficient.”
The complaint cites the California Customer Records Act, Texas Deceptive Trade Practices Act and other laws which it is claimed Block has broken.
The duo were also not provided with any credit monitoring services, as is common practice following this type of incident. One of the plaintiffs claimed to have suffered nearly $400 of unauthorized transactions on their account following the breach, while the other pointed to multiple incidents of fraud.
They also spent a significant amount of time dealing with the fallout from the incident, including fruitlessly requesting that their accounts be reimbursed the stolen funds, according to court documents seen by Infosecurity.
The lawsuit was filed in a week when Block founder Jack Dorsey’s other business, Twitter, came under intense scrutiny after a whistleblower disclosure from its former head of security was made public.
There is some crossover between the cases, notably allegations that access policies for insiders were too lax at both firms.
Chris Clements, VP of solutions architecture at Cerberus Sentinel, argued that breach investigations can take months, but more could be done to notify customers sooner.
“One area I do see opportunities for improvement across all industries is to shift to incremental notifications for any impacted customers as soon as their information can be verified as affected,” he said.
“Notifying customers sooner as part of an incremental process rather than waiting for a complete understanding of all affected parties can provide them more time to respond and take actions to protect themselves from potential fraud or social engineering campaigns based on the stolen data."