Breach cyber

Block (Cash App)

Sep 9, 2025 2 min read
Block (Cash App)

Block, the parent company of Cash App, faced a significant data breach in December 2021 when a former employee unlawfully downloaded personal information of approximately **8.2 million Cash App users**. The breach was not disclosed until **April 4, 2022**, nearly four months later, raising concerns about transparency and data security practices. Shareholders filed a class-action lawsuit, alleging Block misled investors by failing to disclose inadequate security measures before the breach and during its $29 billion acquisition of Afterpay. While the lawsuit was dismissed due to lack of evidence of fraudulent intent, the incident exposed vulnerabilities in Block’s data protection framework. Additionally, Block settled separate regulatory cases in 2024, paying **$80 million** to 48 states and **$40 million** to New York for anti-money laundering deficiencies in Cash App. The breach involved **customer data leakage**, though no ransomware was reported. Cash App, with **57 million monthly users** and **$283 billion in inflows (2024)**, faced reputational and financial risks, though the direct operational impact appeared contained to data exposure and legal repercussions.

Source: https://www.livemint.com/companies/news/block-defeats-shareholder-lawsuit-over-2021-cash-app-data-breach-11757461007812.html

TPRM report: https://www.rankiteo.com/company/joinblock

"id": "joi1902219091025",
"linkid": "joinblock",
"type": "Breach",
"date": "12/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '8.2 million',
                        'industry': ['Financial Services',
                                     'Technology',
                                     'Mobile Payments'],
                        'location': 'Oakland, California, USA',
                        'name': 'Block, Inc. (Cash App)',
                        'size': 'Large (57M monthly users as of 2024)',
                        'type': 'Public Company'},
                       {'industry': 'Financial Services (Buy Now, Pay Later)',
                        'location': 'Australia',
                        'name': 'Afterpay (acquired by Block)',
                        'type': 'Subsidiary'}],
 'attack_vector': 'Insider Threat (former employee)',
 'data_breach': {'data_exfiltration': 'Yes (downloaded by former employee)',
                 'number_of_records_exposed': '8.2 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Personal information'},
 'date_detected': '2021-12-10',
 'date_publicly_disclosed': '2022-04-04',
 'description': 'Block, led by Jack Dorsey, won the dismissal of litigation '
                'claiming it misled shareholders regarding a December 2021 '
                'data breach at its Cash App service. A former employee '
                'downloaded personal information of ~8.2 million users. '
                'Shareholders alleged Block failed to disclose inadequate data '
                'security and delayed breach notification by nearly four '
                'months. The company also faced accusations of misleading '
                'Afterpay shareholders during its $29B acquisition. Block '
                'previously settled AML-related charges for $80M (48 states) '
                'and $40M (New York).',
 'impact': {'brand_reputation_impact': ['Litigation',
                                        'Regulatory Settlements ($120M total)'],
            'data_compromised': 'Personal information of ~8.2 million Cash App '
                                'users',
            'identity_theft_risk': 'High (personal information exposed)',
            'legal_liabilities': ['Shareholder litigation (dismissed)',
                                  'AML settlements ($80M + $40M)']},
 'initial_access_broker': {'entry_point': 'Internal (former employee with '
                                          'authorized access)',
                           'high_value_targets': 'Cash App user database'},
 'investigation_status': 'Closed (litigation dismissed; regulatory settlements '
                         'reached)',
 'motivation': ['Financial Gain (alleged by shareholders)',
                'Unauthorized Data Access'],
 'post_incident_analysis': {'corrective_actions': ['Regulatory settlements '
                                                   '($120M)',
                                                   'Potential internal policy '
                                                   'reforms (unspecified)'],
                            'root_causes': ['Inadequate data security controls',
                                            'Insider threat risk management '
                                            'failure',
                                            'Delayed breach disclosure']},
 'references': [{'source': 'Reuters'},
                {'source': 'U.S. District Court, Southern District of New York '
                           '(Case No. 22-08636)'}],
 'regulatory_compliance': {'fines_imposed': ['$80 million (48 states)',
                                             '$40 million (New York)'],
                           'legal_actions': ['Shareholder class-action '
                                             'litigation (dismissed)',
                                             'State regulatory settlements'],
                           'regulations_violated': ['Anti-Money Laundering '
                                                    '(AML) policies',
                                                    'Potential securities '
                                                    'disclosure violations '
                                                    '(alleged)'],
                           'regulatory_notifications': ['Delayed (disclosed 4 '
                                                        'months post-breach)']},
 'response': {'communication_strategy': ['Delayed disclosure (4 months)',
                                         'Regulatory filings',
                                         'Public statements via court '
                                         'proceedings']},
 'stakeholder_advisories': ['Court filings', 'Regulatory disclosures'],
 'threat_actor': 'Former employee',
 'title': 'Block (Cash App) Data Breach and Shareholder Litigation Dismissal',
 'type': ['Data Breach', 'Insider Threat', 'Shareholder Litigation'],
 'vulnerability_exploited': 'Inadequate data security controls / unauthorized '
                            'access by insider'}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.