Jack Dorsey led Block Inc’s Cash App was targeted by an insider attack in December

Mobile payment company Cash App, owned by Jack Dorsey’s Block Inc, said in a Securities and Exchange Commission (SEC) filing that last December a former employee had illegally downloaded internal reports, which included full names and brokerage account numbers of customers in the US. The employee had left the company when the reports were accessed.  

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” the company said in the filing document.  

The company further added that it has launched an investigation with help from forensic experts and has informed around 8.2 million current and former customers about the internal breach. Regulatory authorities and law enforcement agencies have also been informed, the company said.  

Cash App has assured its customers that the compromised data doesn’t include any personally identifiable information such as social security numbers, date of birth, card credentials, physical address, bank account information, or usernames and passwords used to access the Cash App.  

However, the compromise of the brokerage account number means that the customers’ brokerage portfolio value, brokerage portfolio holdings, and/or stock trading activity for one trading day have been compromised. A brokerage account number is a unique identification number associated with a customer’s stock activity on Cash App Investing.  

Cash App is one of the leading payment apps that allow customers to buy and sell Bitcoins using their Cash App balance. So far, there has been no report of a breach of a customer’s wallet. Cash App on its part said it does not believe this incident will have a material impact on its business, operations, or financial results. 

However, recently, several crypto exchanges and bridges have been targeted to steal cryptos. Early this week, hackers stole cryptos worth $625 million from Ronin Network, a sidechain of the Ethereum network used for transactions on the blockchain game Axie Infinity. The growing value of cryptos has made any platforms dealing in them a target.  

Payment companies or banking institutions with their treasure trove of critical customer information have always been high value targets. In addition to using targeted malwares and breaching networks, hackers often try to lure existing or former employees to steal company information and then pay them in cryptos.  

The use of social media networks including Telegram channels such as ‘Dark Jobs’ and ‘Dark Work’ to hire disgruntled employees to do their dirty work is also very common.  

According to Ponemon Institute’s ‘2022 Cost of Insider Threats’ report, cases of insider threats have increased by 44% over the past two years, while the cost per incident has gone up by a third to $15.38 million. Also, the time taken to contain an insider threat increased from 77 days to 85 days in the past two years.