Block, the parent company of products like Cash App and Tidal, said in an SEC filing that a former employee downloaded “certain reports” that “contained some US customer information” without permission from Cash App Investing (via Protocol).
Data in the reports, which Block said were downloaded on December 10th, included “full name and brokerage account number” and for “some customers” included “brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.” The employee, who downloaded the data after they left the company, had access to the reports “as part of their past job responsibilities,” according to Block.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information,” Block said. “They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.”
Block says it is contacting “approximately 8.2 million current and former customers” in regards to the incident. It’s unclear if that number is how many people Block believes may have had their data exposed. Block didn’t immediately reply to a request for comment.