This popular digital wallet reported an incident of stolen investing data exposing stock activity of 8.2 million customers.
Americans are no strangers to data breaches.
When thinking about stolen information, it’s hard to miss credit-reporting firm Equifax’s (EFX) – Get Equifax Inc. Report massive hacking incident from 2017 that exposed 143 million Americans’ Social Security numbers and other sensitive personal information.
Bad actors were able to game the system through a software vulnerability to access Equifax’s databases. It is still considered one of the biggest consumer data hacks that cost the company a record $671 million in settlements to various federal and state investigators. Heads rolled in the top management and it took the Equifax many years to recover from the fallout.
The episode also set off alarm bells in Washington over cybersecurity hacks. In an ideal world this should have helped stop such incidents from happening. But even policymakers can’t stop these events from occurring in an absolute sense. It is a whack-a-mole game between regulators, companies that become targets and bad actors.
Cash App Hacked
Recently Jack Dorsey’s payments firm Block (SQ) – Get Block Inc Class A Report, formerly Square, reported a similar incident but in no way similar to the magnitude of the Equifax episode.
A former Block employee downloaded Block’s digital wallet Cash App’s investing customer data, exposing stock activity of 8.2 million customers, including in some cases brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day. The incident occurred on Dec. 10 last year, the company said.
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the company said in a Securities and Exchange Commission filing on April 4.
Block’s disclosure comes soon after President Joe Biden cleared a new law that mandates key businesses to report to the government when they have been hacked.
Block’s digital wallet Cash App has gained popularity during the pandemic and is a popular way to transfer money to people including in bitcoin. The app generated a gross profit of $518 million in the fourth-quarter of 2021. The company counted more than 13 million monthly active users of its Cash Card during the quarter.
“The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day,” the company added in the SEC filing.
Many Cash App accounts have a routing number and a unique account number, which allows customers to deposit funds, transfer them through the app, make online purchases or ATM withdrawals using the Cash Card, to invest in stocks or ETFs, to buy bitcoin, or transfer to other bank accounts.
Block said the Cash App is building an ecosystem of financial products and services that helps individuals manage their money by making it more relatable, instantly available, and universally accessible.
The reported hack did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information, said Block.
“They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted,” Block said in its SEC filing.
The investing arm at Cash App is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions.
The company said it is also notifying the applicable regulatory authorities and has notified law enforcements.