In an SEC filing made on Monday, Cash App parent company Block, Inc., said that it was working to contact roughly 8.2 million past and present customers of its investment services, as names, brokerage portfolio values and account numbers were compromised in a data breach.
According to Block’s form 8-K, a employee who had regular access to the records during their employment downloaded customer records after leaving the company. The reports didn’t contain Cash App usernames or passwords, and the company said that Social Security numbers, birthdays, payment card info and most other types of personally identifiable information weren’t accessed.
How cybercriminals can leverage stolen Cash App data
Still, according to experts, the portfolio data accessed represents a serious compromise. Avivah Litan, a distinguished research vice president at Gartner, said that part of the idea with this type of hack might be to identify potentially worthwhile targets for further compromise.
“Using this compromised data, a hacker could determine which investors are worth targeting, based on their account values, and how to target them, based on their portfolio holdings and daily trading activity,” she said. “Further, they could integrate the compromised CashApp data with other previously stolen dark net data that potentially exists on the same individual to gain enough information – such as user IDs and passwords at other financial institutions or websites – to effectively socially engineer the user into transferring funds to a criminal account.”
The idea that the attack was one step in a longer process was echoed by IDC research director Aaron Press, who said that the potential target – brokerage accounts – made sense, given the specific types of information that were stolen.
“There’s no guarantee that this will be of use, and it may not be of value,” he said, “but if someone were interested in attacking a brokerage account, then this would be a place to start.”
CSO is currently following this event and will post updates as they become available.