Block, formerly Square, said Monday in a regulatory filing that a former employee downloaded Cash App Investing reports containing customer names and brokerage account numbers in December, after leaving the company.
The company’s stock price was down as much as 7%, to $125.54, on Wednesday morning.
Block “recently determined” the breach occurred, meaning it went undetected for almost four months, according to the filing. As of December, the app had 44 million monthly transacting customers across the U.S. and Europe, according to Block’s most recent quarterly report.
“The information in the reports included full name and brokerage account number (this is the unique identification number associated with a customer’s stock activity on Cash App Investing), and for some customers also included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day,” the company said in the filing submitted to the Securities and Exchange Commission on Monday.
Block said the reports didn’t include usernames, passwords, Social Security numbers, dates of birth, payment information, addresses, bank accounts or other personally identifiable information.
The company said it would be reaching out to 8.2 million current and former customers to alert them of the data breach. Companies usually have four business days to file a report with the SEC after a qualifying event.
“Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement,” a Cash App spokesperson told Decrypt via email. “We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”