Block accused of mishandling data breach affecting 8.2m users
Block, the parent company of payments processor Square, is facing claims that it mishandled a major data breach, and faces a class-action lawsuit over its response time and mitigations to the incident.
The plaintiffs argue that because of a four-month delay between the company learning about the data breach and notifying affected customers, Block is in violation of several pieces of consumer legislation. The complaint cites acts such as the California Customer Records Act, Illinois Consumer Fraud Act, and Texas Deceptive Trade Practices Act.
In December, Block learned that one of its former employees had downloaded information on users of the company’s mobile payment service app Cash App. Using the investment service that Cash App offers, the employee was able to access information such as customer names, brokerage account numbers, and trading activity for a specific day.
Around 8.2 million users were advised about the breach four months later in April, when the company made the matter public. The plaintiffs argue that this is an unacceptable amount of time for the company to have waited before acting, and that the information eventually provided did not properly explain the failure in its security.
“Defendants’ notice of the data breach was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how the unauthorised former employee was able to access its networks, whether the private information accessed was encrypted or otherwise protected, or how it learned of the data breach,” the lawsuit contends.
“Even worse, defendants failed to offer any credit or identity theft monitoring services for plaintiffs and class members.”
The plaintiffs have also stressed that the breach exposes the security systems Block has in place as inadequate, and that failure to disclose this to its customers amounts to deceptive practice. Several acts of legislation are used to define deceptive practice, such as the Texas Deceptive Trade Practices Act which sets it out as “[r]epresenting that goods or services are of a particular standard, quality or grade, if they are of another”.
Block had stated in April that it spoke to law enforcement following the breach, but failed to provide a material explanation of how a former employee could still access sensitive information.
The plaintiffs argue that they incurred losses and harm to their privacy as a result of the breach, something that could have been avoided if Block had informed them of the breach immediately. This includes “lost time dedicated to the investigation of and attempt to recover the loss of funds and/or cure harm to their privacy”.
Cash App is a popular app for sending money, with an especially active userbase in the US, and over 70 million active customers worldwide in the period 2020-2021. In addition to operating Cash App and owning Square, Block owns the ‘buy now pay later’ platform Afterpay, which it acquired in 2021.
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers