Block, the parent company of products such as Cash App and Tidal, said in a SEC filing that a former employee downloaded “certain reports” that “contain some U.S. customer information” without Cash App Investing’s permission (through protocol†
Data in the reports, which Block said was downloaded Dec. 10, includes “full name and brokerage account number” and for “some clients” includes “brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for a single trading day.” The employee, who downloaded the data after they left the company, had access to the reports “as part of their previous job responsibilities,” Block said.
“The reports don’t contain usernames or passwords, social security numbers, date of birth, payment card information, addresses, bank account information or other personally identifiable information,” Block said. “They also do not contain a security code, passcode, or password used to access Cash App accounts. Other Cash App products and features (other than inventory activity) and customers outside of the United States were not affected.” Block says it is contacting “about 8.2 million current and former customers” regarding the incident.
“At Cash App, we value customer trust and are committed to the security of customer information,” Cash App spokesperson Danika Owsley said in a statement. The edge† “After discovery, we took steps to resolve this issue and launched an investigation with the help of a leading forensics company. We know how these reports were accessed and we have notified the police. We also contact customers whose data has been compromised. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”
Update April 5, 7:34 PM ET: Added Cash App statement.