Block, the company previously known as Square, revealed on Monday that a former employee accessed Cash App customers’ information last year after they had already left the company.
The revelation came in a Securities and Exchange Commission filing, which said that a former employee downloaded “certain reports” of the company’s subsidiary Cash App Investing.
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the filing read. “Cash App Investing is contacting approximately 8.2 million current and former customers to provide them with information about this incident and sharing resources with them to answer their questions.”
A Cash App spokesperson confirmed the breach explaining that “the information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings, and/or stock trading activity for one trading day.”
The spokesperson added in an email to Motherboard that “the reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, address, bank information, or any other personally identifiable information. They also did not include any security codes, access codes, or passwords used to access Cash App accounts. Data related to other Cash App products and features were not impacted.”
The spokesperson said the company immediately took steps to remediate the incident and launched an investigation “with the help of a leading forensics firm.”
“We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information,” the statement read.
It’s unclear how a former employee had access to information that was exclusively for the use of current employees. Typically, when someone leaves a company, their access to company information gets revoked, precisely to avoid situations like this one.
This is the latest incident of so-called insider threat, when an employee or former employee takes advantage of their privileged access to steal sensitive information. In the last few years, Motherboard reported similar cases at Snapchat and Google.