Block Faces Class Action Lawsuit over Data Breach
Firm Did Not Have Necessary Measures to Protect PII, Plaintiffs AllegeFintech company Block faces a putative class action demanding improvements to corporate security and damages for customers affected by a 2021 data breach that affected 8.2 million individuals.
See Also: Live Webinar | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
The company, formerly known as Square and co-founded by former-Twitter CEO Jack Dorsey, disclosed the breach in an April securities filing. A former employee of Block subsidiary Cash App Investing downloaded customer information including full names and brokerage account number, and in some cases brokerage portfolio value and other holdings data.
The putative class action lawsuit, filed in the Northern District of California, alleges Block failed to "exercise reasonable care in securing and safeguarding consumer information." Block owed a duty to its customers to protect their data but instead forced plaintiffs into spending time and resources into mitigating the breach, it charges. Consumers "have a property interest" in their private information, an interest that Block violated through negligent data security, it further alleges (see: Cash App Warns 8.2 Million Customers of Insider Breach).
The lawsuit comes just as a former security chief at Twitter alleged the social media giant had "extreme, egregious deficiencies" in security and user privacy (see: Twitter's Ex-Security Chief Files Whistleblower Complaint).
The two named plaintiffs allege they found multiple unauthorized transactions made to their Cash App accounts following the data breach, money for which they haven't been reimbursed.
"Notice of the Data Breach was not just untimely but woefully deficient. Even worse, Defendants failed to offer any credit or identity theft monitoring services," the complaint says.
The company, the plaintiffs allege, did not disclose how an unauthorized employee was able to access its network, whether their private data was encrypted and how it learned of the data breach.
Among plaintiffs' demands is that Block provide a complete and accurate disclosure to affected users and deploy appropriate methods and policies with respect to consumer data collection, storage and safety.
The lawsuit says the victims should receive at least three years of credit monitoring services, damages and a ruling requiring Block to improve its policies for holding consumer data, "especially as such methods and policies pertain to both current and former employees."