More than 8 million customers may have been impacted
All it takes is one former employee to break the rules and millions of people can be affected.
Cash App Investing, a division of the popular payment app Cash App, found that out the hard way.
More than 8 million Cash App Investing customers may have had personal data compromised after a former employee downloaded internal reports without permission, parent company Block Inc. revealed in a regulatory filing this week. Headquartered in San Francisco, Block said it’s reaching out to roughly 8.2 million current and former customers about the incident.
“At Cash App we value customer trust and are committed to the security of customers' information,” Danika Owsley, a spokesperson for Cash App, told CNN Business. “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm.”
The former employee downloaded the data in December, after their employment with the company had ended, according to the filing. “We know how these reports were accessed, and we have notified law enforcement,” Owsley said. The company continues to “review and strengthen administrative and technical safeguards to protect information,” she added.
Read more: How HR handles violence in the workplace
Information in the reports included customers' full names and brokerage account number, which is the personal identification number associated with a customers' stock activity on the platform. For some customers, the data accessed also included the value and holdings of the brokerage portfolio, as well as some trading activity, according to the SEC filing.
However, the information didn’t include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information or “any other personally identifiable information,” according to the filing.
It’s another reminder for HR directors and other company leaders that cybersecurity is of the utmost importance, especially in the digital age. A 2020 report from United Kingdom firm Tessian found that 43% of workers have made serious mistakes resulting in security repercussions for either themselves or their company. Some of the mistakes included losing clients after messaging the wrong person (20%) and clicking on a phishing link at work (25%). In fact, 10% of workers actually lost their jobs after sending a rouge email.
“Cybersecurity training needs to reflect the fact that different demographics use technology and respond to threats in different ways and that a one-size-fits-all approach to training won’t work,” Tim Sadler, CEO of Tessian, told HRD. “It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100 per cent of the time, especially during these uncertain times.”
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person,” Sadler added.