CashApp is hacked by an employee. Stolen sensitive data

CashApp, a popular financial services and stock trading platform, has confirmed a data breach incident allegedly perpetrated by a former employee who managed to steal brokerage data and other sensitive records from the company’s systems. Jack Dorsey’s Block subsidiary firm notes that the stolen data includes brokerage account numbers, full names, brokerage portfolio securities and brokerage portfolio holdings.

In its message, CashApp details how its security teams discovered that this former employee downloaded certain reports from Cash App Investing with customer information. Although this employee had regular access to these reports as part of his position’s activities, the incident occurred without company authorization and after the employment relationship had ended.

“Upon noticing the incident, we took steps to remedy this issue and launched an investigation. We notify law enforcement and continue to review and strengthen administrative and technical security measures to protect our customers’ information,” the CashApp statement said.

Although the company attributed responsibility for the attack to the former employee, they did not add details about how this employee was able to break into its networks even after he stopped working there. CashApp also did not add information on the number of customers affected, although the report filed with the U.S. Securities and Exchange Commission (SEC) notes that notifications are being sent to about 8 million former and current customers.

The notification to the SEC also specifies that at no time did the threat actor access personal records such as names, usernames and passwords, Social Security numbers, dates of birth, payment cards or any other means of personal identification: “The leak also does not include any security code, access code or password used to access your Cash App account,” concludes the company’s report.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.