A former employee with Block used the digital financial services firm’s Cash App products to access and download personal information about US customers in December 2021, the firm has claimed.
In a filing this week with the Securities and Exchange Commission (SEC), Block officials alleged the ex-employee on December 10 downloaded reports of the company’s Cash App Investing subsidiary.
The data, it said, included such information as the full name and brokerage account number – a unique identification number linked to a customer’s stock activity – as well as brokerage portfolio value, holdings and stock trading activity.
It’s common for ex-employees to feel entitled to information of customers they worked with or of intellectual property the worked on…
The leak did not include usernames, passwords, Social Security numbers or dates of birth. There also were no security codes, access codes or password information to access Cash App accounts in the reports, Block said.
The breach is forcing Block’s Cash App Investing subsidiary to contact circa 8.2 million current and former customers about the situation and is another warning for organizations to harden policies that address former employees and information management, particularly as companies increasingly adopt software-as-a-service (SaaS) products that are accessible via the internet.
“This situation stresses the need for a well-defined employee offboarding process and possibly even the dangers of shared passwords within organizations,” Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, told The Register.
“Without a strong offboarding process, accounts that should be disabled can easily be missed, leaving them open for abuse by ex-employees. Shared passwords are equally as dangerous, especially if they are not changed immediately after an employee leaves.”
It’s common for ex-employees to feel entitled to information of customers they worked with or of intellectual property they worked on, so it’s incumbent on enterprises to remove access to such data quickly and efficiently when workers leave, Kron said.
It was unclear from the SEC filing how the supposed former Block employee was able to access the reports or who the firm alleges the ex-worker is – the company only said that “while this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”
Officials with the fintech company also didn’t detail exactly when they learned of the stolen information, only that they “recently determined” that it occurred. They notified regulators and law enforcement.
While company officials haven’t concluded their own investigation, they said a preliminary assessment and the information they know now leads them to believe the incident will materially impact the business’s operations or financial results.
That said, the execs added that they continue to “review and strengthen administrative and technical safeguard to protect the information of its customers.”
Are you sure you signed the departing user out of all their accounts?
Managing the myriad accounts created for employees is becoming increasingly complex with the growing use of SaaS tools, according to Chris Clements, vice president of solutions architecture at cybersecurity vendor Cerberus Sentinel.
Historically an employee would have a single account in a central authentication server like Microsoft’s Active Directory that would give them access to networks and applications. When the employee left the company, all that was needed was disabling or deleting that single account.
“Today, however, an organization may have dozens of SaaS solutions in use, many with stand-alone authentication systems not tied to the company’s internal authentication database,” Clements told The Register.
“In this situation, it can be difficult to identify all of an exiting employee’s accounts and coordinate with potentially many different teams that manage the SaaS products to ensure access is removed.”
Complicating things even more, often these third-party hosted services have their own logging and auditing functions that aren’t tied into an organization’s centralized logging or security information and event management (SIEM) system for easy review.
“This leaves the security team blind to suspicious behaviors or authentication attempts and relies on the team managing the SaaS solution for the organization to have a process for regular log review as well as the expertise to understand if events they are seeing indicate a potential problem,” he said.
“Because users can typically access these cloud-based solutions from anywhere, unless the security team or the cloud-application administrator is actively watching the security logs, it could be months or years before unauthorized access is detected and shut down.”
Enterprises need to ensure that threats like user account proliferation are part of their risk management strategy, Clements said. That includes having a formal user account request process for generating a complete list of all internal and external accounts created by an employee that can be removed after they leave the company.
In addition, companies need a vendor management strategy that considers threats that might arise when adopting a third-party service and proactively puts in strategies to limit potential damage. For example, enterprises can require that their vendors prove cybersecurity due diligence and ways the service can be adapted to provide easier management and monitoring by internal teams.
According to the filing, the former employee allegedly downloaded the reports on the same day that the company officially changed its name from Square to Block, creating a single brand for its various products, including Tidal – a music streaming service – Cash App and Square. Square announced the name change more than a week earlier and days after founder and CEO Jack Dorsey stepped down from his CEO position at Twitter, which he co-founded. ®