A leading US payments company is contacting over eight million current and former customers of its Cash App Investing subsidiary that their details may have been accessed by a malicious insider.
San Francisco-headquartered Block revealed the news in an SEC filing on Monday.
It claimed a former employee had downloaded “certain reports” containing Cash App customer information on December 10 last year, after their employment had ended.
“The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day,” the filing said.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts.”
Block said no customers outside the US were affected and no other Cash App products and features were impacted. The app not only allows users to buy stocks and Bitcoin but also pay individuals, spend with businesses and bank deposits.
Cash App investing is now contacting 8.2 million customers to update them on the incident and has notified the relevant regulatory and law enforcement agencies.
Insiders remain a major source of data security risk in EMEA organizations. An Imperva study last week revealed that 59% of incidents impacting sensitive data over the past 12 months were caused by them.
It also claimed that as many as 70% of organizations in the region still don’t have a strategy for dealing with insider risk.
It’s not just an EMEA challenge: last November, US pharma giant Pfizer alleged that an employee stole COVID-19 vaccine secrets in advance of a job move to a rival company.