Peer-to-peer payments tool Cash App and its parent company, Block, failed to take necessary precautions to protect the data of 8.2 million customers after a former employee downloaded their information without authorization, according to a class action lawsuit filed last week.
The Cash App breach, which occurred in December 2021, points to the importance of basic cyber hygiene and the value of implementing automated security measures, Igor Volovich, vice president of compliance strategy at cybersecurity firm Qmulos, told Bank Automation News.
It is unclear what caused the breach.
Possible explanations include that the ex-employee’s work account could still have been active on a third-party software-as-a-service (SaaS) application like a cloud storage solution, or a lack of communication between the company’s human resources and IT departments on the status of terminated employees, according to the lawsuit filed Tuesday in California.
As hackers’ tools are becoming increasingly sophisticated, automation is paramount for companies looking to enhance their data-protection capabilities. Enterprises should assess existing security systems and analyze their near-real-time data collected from technical controls instead of trusting the opinion of individual analysts, according to Volovich.
‘As basic as it gets’
The breached data included customers’ full names, brokerage account numbers, the value of their portfolios and trading activity, according to the filing.
The breach did not happen because of sophisticated hacking techniques. Instead, Cash App failed to deactivate the employee’s account, Volovich said.
“This is as basic as it gets,” he said. “There is no excuse for failing to disable accounts.”
Companies must ensure that critical security controls and practices are continuously validated, Volovich added.
“Legacy compliance practices that capture the historic security posture of the enterprise fail to detect control failures of the type observed in the Cash App incident,” he said. “By converging compliance and security functions as a joint risk management capability, enterprises attain both proactive and reactive capabilities necessary to defend against and respond to cyberattacks.”
Neither Cash App nor Block responded to a request for comment. Cash App states on its website that it takes reasonable measures, including administrative, technical and physical safeguards, to protect users’ data.
While the breach occurred in December 2021, Cash App first disclosed it in a Securities and Exchange Commission filing on April 4, 2022. The lawsuit claims that the breach can lead to substantial financial losses for customers whose information was exposed.
Founded in 2013, Cash App generated $705 million in gross profit during the second quarter of 2022, a 29% year-over-year increase. In June, there were 47 million accounts that transacted on Cash App, according to Block’s Q2 filing.
Bank Automation Summit Fall 2022, taking place Sept. 19-20 in Seattle, is a crucial event on automation and automation technology in banking. Learn more and register for Bank Automation Summit Fall 2022.






