The Cash App Breach Involved an Inside Actor

The recent Cash App class-action lawsuit settlement may seem like an opportunity for users of the payment service, with headlines suggesting that anyone who used Cash App between 2018 and now could be eligible for up to $2,500. However, these claims are somewhat exaggerated. A more pressing concern is understanding how the breaches that led to the suit occurred—and whether similar incidents could happen again.

The lawsuit claims that Cash App and its parent company Block Inc. were negligent in 2022 when an employee accessed account data without authorization, followed by another breach in 2023.

Block has agreed to a $15 million settlement. But merely having used the app is not enough to receive a share of the settlement. User must provide “third-party documentation showing a “data security incident, unauthorized account event, or deficiency in error resolution” with a Cash App account. That said, providing documented proof of these actions will be tough for many users, especially two or three years after the fact.

These are not the only user issues that Cash App has dealt with. According to a 2022 study from the Bank Policy Institute, six times as many disputed transactions were made using Cash App as with Zelle, underscoring growing concerns about transaction processes.

An Insider with Access

The initial breach was caused by an insider. An employee at Cash App Investing accessed and downloaded consumers’ personal identifiable information. The suit claims that Block and Cash App Investing did not implement sufficient controls to prevent unauthorized access and misuse of Cash App and Cash App Investing accounts after the breach was discovered. This failure led to customer complaints about unauthorized or fraudulent transactions.

That led to a second data breach in 2023, where Cash App identified further unauthorized access to customer accounts. It alerted customers that “an unauthorized user logged into your Cash App account using a phone number that was linked to your account and had been recycled by your carrier.”

The fact that the first breach was caused by an insider made it even difficult to correct, according to Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research. Pitt is working on a report examining the challenges organizations face when insiders commit data breaches, whether purposefully or unwittingly. A Stanford study cited in the research found that half of all surveyed employees made an error at work that could lead to security concerns.

“Data breaches that involve inside actors often take longer to detect, causing more damage and financial loss, because the employee already has authorized access to the company network,” Pitt said. “With the rise of social engineering and shockingly realistic generative AI-based phishing attacks, employees are more easily being coaxed into providing user credentials and other sensitive information.”