Block says a former employee downloaded data on millions of Cash App Investing customers.

Delicate data for greater than eight million customers of Money App Investing — a inventory buying and selling app run by Block, the proprietor of the Sq. funds system — was uncovered when a former worker downloaded company experiences after leaving the corporate.

Block revealed the info publicity in a regulatory submitting on Monday, and stated it was contacting the affected prospects.

“Upon discovery, we took steps to remediate this subject and launched an investigation with the assistance of a number one forensics agency,” Fiona Lee, a Block spokeswoman, stated. “We all know how these experiences have been accessed, and we have now notified regulation enforcement.”

The uncovered information concerned solely customers of Money App’s investing product, not the person-to-person cost service with roughly 44 million customers, the corporate stated.

The data was retrieved by the previous worker in December and included prospects’ names and Money App brokerage account numbers. For some prospects, it additionally included their portfolio worth, their holdings and sure buying and selling exercise. The data didn’t embody consumer names, passwords, Social Safety numbers and different personally identifiable particulars, Block stated in its submitting.

Corporations that cope with monetary information sometimes have robust inside methods to guard that data. Ms. Lee declined to remark particularly on how the previous worker gained entry and whether or not the corporate had made changes for the reason that breach was found.

“We proceed to overview and strengthen administrative and technical safeguards to guard data,” she stated in a written assertion.

Monetary corporations that aren’t banks sometimes face far much less scrutiny from regulators about their safety methods than tightly regulated banks. Sq. obtained a banking constitution final yr for Sq. Monetary Providers, which permits it to supply some banking companies, however that unit operates independently from Money App.

The concept that a former worker was one way or the other in a position to sneak in meant one thing went badly awry. “Taking prospects’ information and safety significantly would require securing exterior entry to staff’ accounts and disabling that entry upon termination, ideally earlier than the worker leaves,” stated James McQuiggan, a safety knowledgeable at KnowBe4, a cybersecurity coaching firm.

Money App is among the hottest person-to-person cost methods in the USA, trailing Zelle and PayPal’s Venmo. It has grown to incorporate debit playing cards, service provider cost instruments and a tax-preparation system that Block purchased from Credit score Karma. The info breach didn’t have an effect on customers of any merchandise apart from the investing app, Block stated.

Money App Investing prospects stated in a Reddit discussion board that that they had acquired emailed notices on Monday concerning the incident. Many have been irked by the breach.

“Now the query is whether or not or not our names and accounts numbers have been leaked to the darkish net?” one consumer wrote.