A class action was filed against mobile payments company Cash App Investing and its parent Block over “negligent” behavior related to the December 2021 data breach that allegedly compromised the personal information of 8.2 million former and current users.
The breach was the result of an ex-employee still having access to reports that contained users’ full names and brokerage account numbers, according to an April filing by Block with the Security and Exchange Commissions (SEC).
“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” according to the filing.
See also: Block Confirms Cash App Breach by Former Employee
Block said in the filing that the former employee was permitted to access and download the reports as part of the job, but this was done after the employee had left the company. The central accusation is that the employee was able to steal the data due to inadequate security measures, PYMNTS reported in April.
“While the exact reason(s) for the Data Breach remain unclear, there is no doubt that Defendants failed to adequately protect Plaintiffs’ and Class members’ Private Information and such negligent failures resulted in the injuries alleged herein,” according to the complaint.
The class action maintains that data breach victims now face a heightened risk of identity theft and fraud. The lawsuit is linking the data breach with subsequent thefts from users’ Cash App accounts, with the main plaintiffs arguing they experienced fraudulent activity on their accounts following the breach.
Read more: Block ‘Disappointed’ After CFPB Said It Slow-Rolled Cash App Probe
The lawsuit also points to Cash App’s delay in notifying users of the December 2021 breach until the SEC filing in April 2022, which caused additional harm to customers that “they otherwise could have avoided had a timely disclosure been made.”
Moreover, the defendants’ notice to data breach victims was “not just untimely but woefully deficient,” according to the class action. The document didn’t offer any details regarding how the former employee was able to access customer information, whether the data was encrypted or otherwise protected, or how Block learned about the breach.
The defendants also have failed to offer any credit or identity theft monitoring services to those whose information was compromised, according to the case.