A data breach within the network of mobile payment services company Cash App may have compromised the personal data of more than 8 million U.S. users. The company's parent Block Inc. confirmed Monday that a former employee may have intentionally downloaded the personal information of its users.
Block, which was founded by Twitter founder Jack Dorsey, also confirmed the breach in a report it filed with the U.S. Securities and Exchange Commission. In its report, the company said employees do have access to user information, but the report that was downloaded was done by an individual who was no longer working with the company.
Cash App said the downloaded data did not include sensitive information such as passwords, usernames, bank accounts, and social security numbers. However, it did contain the full names of users, their brokerage account numbers, portfolio holdings, and trading activities.
According to the filing, the only users who may be affected are those in the United States who utilize Cash App Investing, which numbers roughly 8.2 million people. Block says it will contact all current and previous users of the feature to give them more information about the breach and to share resources with them to answer their inquiries.
Block said it has already contacted different law enforcement agencies to help it identify and track down the former employee and also to recover the stolen data. The company said it takes the security and data of its customers "very seriously," and it will be reviewing and strengthening its administrative and technical safeguards to prevent similar incidents.
The company said it is still conducting an investigation on the matter but assured customers and stakeholders that the breach would likely not have any material impact on the business and its operations.
Cybersecurity experts said that the incident would likely not directly impact users based on the type of information that was stolen. However, there may be issues down the road if the data is sold or stolen. While the information itself is not valuable, it could theoretically be paired with other data that will make it sufficient enough to use to break into someone's account.
As a precaution, experts suggest that affected Cash App users should immediately update their passwords and enable two-factor authentication if they haven't already. The company didn't say if data from users outside of the U.S. were also compromised. Cash App currently only serves customers in the U.K. and the U.S.
