A class action was filed against mobile payments company Cash App Investing and its parent company Block for “negligent” behavior related to the December 2021 data breach that allegedly compromised the personal information of 8.2 million former and current users.
The breach was the result of a former employee still having access to reports containing users’ full names and brokerage account numbers, according to an April report deposit by Block with Security and Exchange Commissions (SEC).
“While this employee had regular access to these reports as part of his prior job responsibilities, in this case, these reports were accessed without authorization after his employment ended,” according to the filing.
See also: Block confirms breach of Cash app by former employee
Block said in the filing that the former employee was allowed to access and download the reports as part of his job, but that was done after the employee left the company. The central accusation is that the employee may have stolen the data due to inadequate security measures, PYMNTS reported in April.
“While the exact reason(s) for the data breach is unclear, there can be no doubt that Defendants failed to adequately protect the private information of Plaintiffs and Class Members and such negligent breaches resulted in the injuries alleged here,” according to the complaint.
The class action claims data breach victims now face an increased risk of identity theft and fraud. The lawsuit links the data breach to subsequent thefts of users’ Cash App accounts, with the primary plaintiffs arguing that they experienced fraudulent activity on their accounts as a result of the breach.
Read more: Block ‘Disappointed’ After CFPB Says Slow Cash Enforcement Probe
The lawsuit also points to Cash App’s delay in notifying users of the breach from December 2021 until the SEC filing in April 2022, which caused additional harm to customers that “they could otherwise have avoided if a timely disclosure had been made”.
Additionally, the defendants’ notice to data breach victims was “not only inappropriate, but woefully inadequate,” according to the class action. The document did not provide any details on how the former employee was able to access customer information, whether the data was encrypted or otherwise protected, or how Block learned of the breach.
The defendants also failed to offer credit monitoring or identity theft services to those whose information was compromised, according to the case.