Cash App Warns 8.2 Million Customers of Insider BreachIncident Caused by Former Employee Downloading Reports
Investment platform Cash App, a subsidiary of U.S.-based payments company Block, says it has been breached. The incident happened on December 10, 2021, when a former employee downloaded reports containing Cash App U.S. customer information, the company says.
"While this employee had regular access to these reports as part of their past job responsibilities, in this instance, these reports were accessed without permission after their employment ended," the company says in a filing with the U.S. Securities and Exchange Commission.
Cash App says it has notified 8.2 million current and former customers of the incident and answered some FAQs. Applicable regulatory authorities are also being notified, it says.
Lamar Bailey, senior director of security research at cybersecurity firm Tripwire, tells Information Security Media Group that insider threat is a risk that does not get enough attention. Disgruntled or negligent employees, he says, can have a big impact on security.
Bailey recommends that organizations limit access to what is specifically necessary for an employee's role and put in audits for access and tools to limit data leakage.
"If the data is important to you, it is important to an attacker too," Bailey says.
Critical Data Breached?
"The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day," the SEC filing says.
The reports accessed in the breach, however, did not include usernames or passwords, Social Security numbers, birthdates, payment card information, addresses, bank account information or any other personally identifiable information, it says. It also did not include any security codes, access codes or passwords used to access Cash App accounts. The company, in its filing, adds that the other Cash App products, features and customers outside of the United States were not affected.
A spokesperson for Cash App tells ISMG that upon discovering the breach, the company "took steps to remediate this issue and launched an investigation with the help of a leading forensics firm." The name of the firm has not been disclosed.
"We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect the information," the spokesperson says.
While future costs associated with this incident are difficult to predict, preliminary assessments indicate that the incident will not have a material impact on its business, operations or financial results, they add.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, says that people on the inside of a company have a leg up compared to outside threat actors when it comes to breaches, as they have some access to the internal network environment and IT resources.
"Our focus should be on protecting the data itself. Consider more datacentric methods of protection, such as tokenization or format-preserving encryption, which obfuscate sensitive - and valuable - information no matter who has access to it," Shadabi says. He says businesses should also adopt zero trust architectures.