The lawsuit also mentions a recent slew of Cash App account breaches and fraudulent activity. Block, formerly known as Square, has not issued refunds to the affected users, and at this time, it is unclear if the fraudulent charges have any ties to the December 2021 incident. According to Forbes, which first reported the lawsuit, it does not provide evidence to link these events.
What We Know About the Lawsuit
The lawsuit against Block claims that the company was “negligent” in its security practices and alleges that Cash App did not maintain “reasonable and adequate” data security measures to protect its customers’ information. It also mentions certain measures that Block should have taken to prevent the December 2021 data breach, such as securing internet-facing assets, collaborating with different members of Block’s security team, and taking a “least privilege” approach to detect intrusions. “These are basic, common-sense security measures that every business, not only those who handle sensitive financial information, should be taking,” the suit reads. “Defendants, with the highly sensitive personal and financial information in their possession and control, should be doing even more. By adequately taking these common-sense solutions, Defendants could have prevented this [data breach] from occurring,” The suit also alleges that Block did not comply with the Federal Trade Commission’s guidelines on maintaining reasonable and appropriate data security for customers.
Details of the December 2021 Breach
The root of the lawsuit is an incident from December of last year. Block suffered a breach where a former Cash App staff member stole a large trove of customer information. Block said the ex-employee stole the information using the access they had from the time they worked for the company. The stolen information included data points such as users’ full names, brokerage account numbers, portfolio values, portfolio holdings, and stock trading activity for one trading day. However, the incident did not compromise any passwords or sensitive information like Social Security numbers. A huge concern with the incident was the sheer number of individuals who were potentially impacted. Block told the U.S. Securities and Exchange Commission (SEC) that it would reach out to 8.2 million former and existing customers at the time. In the lawsuit, the plaintiffs pointed out the harm caused by the long delay between when the incident occurred and when it was reported to the SEC. “Block offered no explanation for the four-month delay between the initial discovery of the breach and the belated notification to affected customers, which resulted in plaintiffs and class members suffering harm they otherwise could have avoided had a timely disclosure been made,” the suit said.
Recent Cash App Customer Account Breaches
The lawsuit also mentions a series of recent Cash App account breaches, pointing to them as an example of the harm caused by the December 2021 breach. Several Cash App users have complained that a third party gained access to their account and drained their funds. A recent Vice Motherboard report stated that cybercriminals are selling Cash App login credentials on dark web marketplaces, social media, and some fraudulent sites. While the lawsuit claims that the recent account breaches are related to the December 2021 incident, the link between the two is not readily apparent. However, affected users are advised to watch out for signs of identity theft.
Another Jack Dorsey-Founded Company Under Scrutiny
This week’s lawsuit filing follows another high-profile tech company that’s come under the gun for its cybersecurity practices. Block’s CEO and founder, Jack Dorsey, also co-founded Twitter, though he left its board of directors earlier this year. Twitter’s former security chief Peiter Zatko filed a scathing whistleblowing complaint — first reported by the Washington Post — earlier this week detailing the company’s negligence and “extreme, egregious deficiencies” against hackers and cyber threats. Zatko, better known in the cybersecurity community as “Mudge,” alleged that Twitter had violated its own FTC agreement by claiming it had sufficient cybersecurity protocols in place. According to the complaint filing, Twitter had been using outdated software and allowing employees poorly-monitored access to key software and computing, which could be blamed for scores of hacks the tech company has faced over the years. One such hack saw many prominent Twitter accounts taken over in a brazen Bitcoin scam.
