Block, the parent company of products like Cash App and Tidal, said in an SEC filing that a former employee downloaded “certain reports” that “contained some US client information” without Cash App Investing’s permission (via the record ).
The data in the reports, downloaded Dec. 10, according to Block, included “full name and broker account number” and for “some clients” “broker portfolio value, broker portfolio holdings, and/or stock trading activity for a trading day.” The employee who downloaded the data after leaving the company had access to the reports “as part of his previous job duties,” Block said.
“Not the reports This includes usernames or passwords, social security numbers, date of birth, payment card information, addresses, bank account information, or other personally identifiable information,” Block said. “They also did not contain any security code, access code or password used to access Cash App accounts. Other Cash App products and features (excluding stock activity) and customers outside of the United States were unaffected.” Block says it is contacting “approximately 8.2 million current and former customers” regarding the incident.
“At Cash App, we value customer trust and are committed to the security of customer data,” Cash App spokeswoman Danika Owsley said in a statement to The Verge. “Following discovery, we took steps to address this issue and launched an investigation with the help of a leading forensics firm. We are aware of how these reports were accessed and we have notified law enforcement. We are also contacting customers whose data was affected. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Update April 5th 7:34pm ET: Added Cash App statement.