Identity, Risk Assessments/Management, Threat Management, Threat Management

Cash App breach demonstrates threat posed by past and present employees

Miles Suter, Bitcoin Product Lead at Cash App, speaks during the Bitcoin 2022 Conference at the Miami Beach Convention Center on April 7, 2022 in Miami, Florida. (Photo by Marco Bello/Getty Images)

This is part one of a two-part series examining the challenges tied to the insider threat for the financial sector. Click here to read part two, "Insider threats reverberate throughout the financial industry amid the Great Resignation."

A recent compromise of the investment arm of Block Inc.’s fast-growing Cash App, which has been favored by Generation Z and Millennial customers, demonstrates the risk of insider fraud from former as well as existing employees.

Last week news broke of a major data loss from the popular peer-to-peer payment (P2P) service, when financial regulator the SEC released a filing that charged a former Cash App employee with stealing the personal information of 8 million users. The Cash App investing data theft in question happened in December 2021, when the former Cash App employee downloaded customer names, brokerage account numbers, and in some cases their portfolio details and value, their holdings and certain trading activity.

According to information from Block Inc, this data heist should not affect the wider group of 44 million users of Cash App’s popular P2P service. But it does raise concerns about the risk and reliability tied to financial employees.

“The Block/Cash App breach highlights what we already know: that users are the biggest risk to a company’s sensitive data,” said Harris Schwartz, chief information security officer of Elevate Security, noting that eight or nine out of 10 breaches involve a human. “But the vast majority of those breaches are not from malicious insiders, and their methods are identical to malicious outsiders who have already gained access to an authorized account or sensitive assets.”

“There is a much greater risk from internal users that unwittingly click on a bad link or download malware,” Schwartz added. “The smartest thing companies can do is understand the behaviors and identify the users that pose the highest risk to their organization.”

In the SEC filing, Block (parent company of Cash App) admitted that the former employee in question had previously been allowed to download reports and customer information for their job. “While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” said the SEC filing.

Even prior to the news of this data theft, Cash App has been under fire by the Consumer Financial Protection Bureau and several state attorneys over its handling of “customer complaints and disputes.”

In this attack, there may have been an “incomplete termination of access” when the employee was let go, according to Tessian CISO Josh Yavor. “Large or small, no organization is immune to this type of risk, and this is one of the most common security challenges for any organization,” said Yavor. “While it often seems simple on the surface, the complexity of ensuring that all employee access is removed in a timely manner at the end of employment is rarely an easy task.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.