Monday, August 29, 2022
The class-action lawsuit, filed Aug. 23, 2022 in U.S. District Court for the Northern District of California, accuses Block and Cash App Investing of lax security leading to the former employee downloading sensitive customer information after leaving Block's employ.
Coincidentally, the lawsuit was filed on the same day the Washington Post published details of an explosive whistleblower complaint against Twitter by its former security chief.
Peiter Zatko, a white-hat hacker who goes by the moniker Mudge, accused his former employer of deceiving federal regulators and the company's board of directors about "extreme, egregious deficiencies" in its hacker defenses. He also accused Twitter, co-founded by Block Head Jack Dorsey, of violating a 2011 Federal Trade Commission settlement by falsely claiming it was adequately securing information on its 238 million-plus users.
The lawsuit against Block and Cash App cites an April 4, 2022 Securities Exchange Commission filing by the company regarding the Dec. 10, 2021 incident during which an ex-employee downloaded internal reports containing customer information. Stolen information included full customer names and Cash App Investing account numbers and, in some cases, portfolio holdings and activity. Block told the SEC it was contacting 8.2 million current and former customers about the privacy breach.
Cash App is Block's person-to-person payment app. Cash App Investing allows users to purchase and sell stocks with monies in their Cash App accounts and linked debit cards.
The two main plaintiffs in the case said they had identified multiple unauthorized charges to their Cash App accounts as early as December 2021 and as recently as June 2022. The fraudulent transactions were reported to Block, but the company declined to reimburse the customers for their losses, the lawsuit alleges.
The lawsuit also blasts Block for taking four months to disclose the breach.
"Defendant Block offered no explanation for the four-month delay between initial discovery of the breach and the belated notification to affected customers, which resulted in plaintiffs and class members suffering harm they otherwise could have avoided had a timely disclosure been made," the lawsuit states.
The lawsuit alleges that Block and Cash App Investing failed to meet industry standards, common law, Federal Trade Commission data security guidelines and its own privacy promise to protect user information.
Block "had the resources necessary to prevent the data breach, but neglected to adequately implement data security measures, despite their obligation to protect customer data," the lawsuit states.
The lawsuit seeks monetary damages, a Block commitment to beef-up security and monitoring procedures, and free credit monitoring services for affected customers. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
