Block sued after ex-staffer siphons customer data

Block – the digital payments giant formerly known as Square – faces allegations it failed to take adequate measures to protect customers' personal information.

A lawsuit [PDF], filed Tuesday in a federal district in Oakland, California, on behalf of two users of Cash App, operated by Block subsidiary Cash App Investing, claims the company failed to implement reasonable security. As a result, a former employee was able to download internal reports containing personal information after leaving the firm.

Coincidentally, Twitter – another venture co-founded by Block Head Jack Dorsey – was accused of subpar security by its former security chief in a recent whistleblower complaint.

Block disclosed the December 10, 2021 data theft on April 4, 2022, and stated it was contacting 8.2 million current and former customers about the privacy snafu. The biz said, "a former employee downloaded certain reports of its subsidiary Cash App Investing LLC … that contained some US customer information."

The employee had access to those reports while employed but in this instance downloaded the files after leaving the company. The data obtained included customers' full name and brokerage account numbers, and in some cases, brokerage portfolio values, brokerage portfolio holdings and/or stock trading activity for one trading day.

As far as the litigants are concerned, Block didn't meet its security obligations, failed to notify customers in a timely manner, provided too little information about the incident, and failed to offer credit or identity monitoring services.

"The breach occurred because [Block] failed to take reasonable measures to protect the Private Information it collected and stored," reads the complaint, which aspires to be certified in the United States as a class action. "Among other things, [Block] failed to implement data security measures designed to prevent this release of information to former employees."

Both of the plaintiffs – Michelle Salinas and Raymel Washington – saw unauthorized charges to their Cash App accounts in the wake of the December privacy breach, the lawsuit claims, and had to spend many hours trying to undo the damage. The pair are seeking damages and other punishment.

No evidence is presented that those unwanted charges were made by someone using data obtained as a result of the Block security fiasco. And in its disclosure notice, Block explicitly stated that the downloaded reports "did not include usernames or passwords," or other sensitive personal information. At the same time, a recent report claimed Cash App accounts are being actively targeted by hackers using information obtained from fraud sites peddling account information.

The Register asked Block to comment and to say whether the company has any reason to believe that reported Cash App cyber-heists may be linked to the company's December 2021 data breach.

So far, we've had no word from Block. ®