Block, the company behind the mobile payment service Cash App, has acknowledged a Cash App data breach in which a former employee accessed reports that included US customer information. The company is notifying about 8.2 million current and former customers about the breach.
"Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm," a spokesperson said Tuesday in an emailed statement. "We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information."
On Monday, the company said in a filing with US Securities and Exchange Commission that the reports were accessed on Dec. 10. "While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended," according to the filing.
The reports included customer names and brokerage account numbers, and in some cases brokerage portfolio values, brokerage portfolio holdings and stock trading activity for one trading day. They didn't include usernames, passwords, Social Security numbers, payment card information, bank account details or addresses. Users outside the US were unaffected.
Block was previously known as Square, and Cash App was previously known as Square Cash.
News of the breach was reported earlier by TechCrunch.