Dive Brief:
- Block and its product Cash App Investing face a potential class action lawsuit related to a December 2021 data breach that compromised information of 8.2 million investor accounts, based on a court filing this week.
- In April, San Francisco-based Block said it learned “a former employee downloaded certain reports of its subsidiary Cash App Investing” on Dec. 10, 2021, the company said in an April 4 filing with the Securities and Exchange Commission. Those reports “contained some U.S. customer information,” including full names and brokerage account numbers, and in some cases, portfolio values and holdings as well as stock trading activity.
- In the Aug. 23 lawsuit seeking class action status in U.S. District Court for the Northern District of California, plaintiffs Michelle Salinas and Raymel Washington contend the breach leaves them “at a heightened and increased risk of future identity theft and fraud.”
Dive Insight:
Although the former Block employee “had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” Block said in the SEC filing.
Block, led by Jack Dorsey, said the reports downloaded didn’t include usernames, passwords, Social Security numbers, birth dates, bank account or payment card information or addresses, per that filing. When it learned of the breach, Block began an investigation with the help of a forensics firm and notified law enforcement.
The plaintiffs allege Block “failed to take reasonable measures to protect the private information it collected and stored,” per the court filing.
After the data breach, Salinas noticed multiple Amazon charges on her Cash App account in last December and this January that totaled about $50, the lawsuit said. Salinas has not been reimbursed by Block for those unauthorized charges, according to the court filing.
The other plaintiff, Washington, noticed multiple attempts to withdraw money from his account between February and May, as well as unauthorized transactions that totaled almost $400 in June, which he did not get back from Cash App, per the court filing.
Block “offered no explanation for the four-month delay” between learning of the breach and notifying customers, and when it did inform customers, Block didn’t offer any credit or identity theft monitoring services, the lawsuit alleges. The company also didn’t provide details as to how it learned of the breach, how the employee accessed customer information or whether that information was encrypted or protected.
The plaintiff’s attorney and a Block spokesperson could not be reached for comment.