The company seems to have taken its time to come forward with its admission. TechCrunch reports that the breach occurred on December 10, 2021, but Block apparently didn’t make that public until a filing with the Securities and Exchange Commission (SEC) on April 4.
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” Block said in its filing.
The company said the information in the reports included full names and brokerage account numbers. For some customers, the leaked data might have also included information about brokerage portfolio value, brokerage portfolio holdings, and/or stock trading activity for one trading day.
Some sensitive information not compromised
Block told the SEC that the reports did not include things that might make a customer nervous, such as usernames, passwords, Social Security numbers, dates of birth, payment card information, addresses, bank account information, or any other personally identifiable information.
The company said it hired outside counsel and a “leading forensics firm” to launch an investigation into the matter the moment the breach was discovered. Cash App Investing is reportedly contacting some 8 million current and former customers to provide them with information about the incident and also share resources with them to answer their questions.
“The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers,” it said.
Block’s effort in that regard will be interesting to watch. One ConsumerAffairs reviewer claimed that Cash App has the “worst customer support ever.”
“No phone number to dial and can only be communicated through email. I’ve been waiting for 2 weeks for a response and they just keep saying they will have someone email me soon but no one did,” wrote Melody of Berkeley, California.
Block did not immediately respond to a request for comment from ConsumerAffairs about the data breach.