Anatomy of a Breach

Anatomy of a Breach: Cash App — 8.2 Million Customers Exposed by a Former Employee

> series: anatomy_of_a_breach —— part: 162 —— target: cash_app —— records: 8,200,000 —— method: former_employee_access_not_revoked<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2022 11 min read
data-breach cash-app block insider-threat former-employee access-revocation financial-data series
Breach #162

8.2 million customers. A former employee. Access that should have been revoked the day they left.

In April 2022, Block Inc. disclosed that a former employee of Cash App — the popular mobile payment service — had downloaded internal reports containing the personal data of approximately 8.2 million current and former Cash App Investing customers. The data included full names, brokerage account numbers, brokerage portfolio values, and stock trading activity for one trading day. The former employee had accessed the reports after their employment with Cash App had ended.

The breach was a straightforward access management failure: a former employee retained access to internal systems and reports after their departure. This is the insider threat at its most basic — not a sophisticated attack, not a disgruntled employee planning sabotage, but an organisation that simply failed to revoke access when employment ended. The pattern echoes the T-Mobile UK insider (2009), the Vodafone Germany insider (2013), and the Morrison's insider (2014) — all cases where access controls and monitoring failed to prevent insider data theft.

The Insider Threat
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Revoke access on departure. It sounds simple. It keeps not happening.

Access Not Revoked on Departure
The former employee retained access after leaving Cash App — the most basic access management failure. <a href="/cyber-essentials">Cyber Essentials Danzell</a> requires that user accounts are disabled when no longer required and that access reviews are conducted. Automated offboarding processes — tying HR departure events to immediate access revocation — prevent this category of breach entirely.
Financial Data: Portfolio Values and Trading
The exposed data included portfolio values and trading activity — sensitive financial information that could be used for targeted social engineering, identity theft, or market manipulation. For UK <a href="/blog/sector-under-the-microscope-financial-services">financial services firms</a>, insider access controls on trading data are a regulatory requirement.
No Monitoring Detected the Access
The former employee's continued access was not detected through monitoring — only discovered after the fact. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for access by disabled or inactive accounts and anomalous data access patterns — detecting exactly this type of insider activity.
Thirteenth Year, Same Failure
Insider threats have appeared throughout this series since 2009. The controls are well-understood: prompt access revocation, least privilege, access logging, and monitoring. Yet organisations continue to fail at the basics. Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> assesses access controls and identifies over-privileged accounts.
Lessons

Revoke access. Review access. Monitor access. Every time. Every departure.

The Cash App breach was entirely preventable through a single control: revoking the employee's access upon departure. Cyber Essentials Danzell mandates access reviews and account disablement. Our internal testing identifies stale accounts and over-privileged access. SOC in a Box monitors for access by inactive accounts. And UK Cyber Defence provides the forensic investigation capability when insider access is detected.

Insider Threat

A former Cash App employee accessed 8.2 million customer records after leaving. Are your leavers' accounts disabled?

<a href="/cyber-essentials">Cyber Essentials</a> mandates access revocation. <a href="/penetration-testing/infrastructure">Internal testing</a> finds stale accounts. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects insider access.

Commission an Internal Assessment Next: Twitter 5.4M
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2014

Anatomy of a Breach: Morrison's — The Insider Leak That Made Employers Liable for Staff Data Theft

Breach #063. In 2014, Andrew Skelton, a senior auditor at Wm Morrison Supermarkets, stole and published the personal data — including names, addresses, bank details, and salary information — of approximately 100,000 Morrison's employees. Skelton, who had a grudge against the company, posted the data on file-sharing websites and sent it to newspapers. He was sentenced to eight years in prison. But the case's lasting significance was the landmark legal ruling that followed: the Supreme Court held that Morrison's was vicariously liable for Skelton's actions — establishing that employers can be held responsible for data breaches caused by rogue employees.

data-breach morrisons
14 min read
Anatomy of a Breach 28 February 2014

Anatomy of a Breach: Korea Credit Bureau — 20 Million Records Stolen by a Temporary Consultant

Breach #062. In January 2014, South Korean authorities arrested a temporary IT consultant at the Korea Credit Bureau who had stolen the personal and financial data of approximately 20 million South Koreans — about 40% of the country's population — from the databases of three major credit card companies (KB Kookmin, Lotte, and NH Nonghyup). The consultant had simply copied the data to a USB drive over a period of months while working on a system upgrade. The breach triggered a national crisis, mass card cancellations, and the resignation of credit card company executives.

data-breach korea-credit-bureau
12 min read
Anatomy of a Breach 31 August 2013

Anatomy of a Breach: Vodafone Germany — Two Million Customers Betrayed by an Insider

Breach #056. In September 2013, Vodafone Germany disclosed that an insider with legitimate database access had stolen the personal information of approximately two million customers — names, addresses, dates of birth, bank account numbers, and gender. The breach was the largest insider-driven data theft in German history and echoed the T-Mobile UK insider breach of 2009, demonstrating that insider threats remain one of the most persistent and difficult-to-detect breach vectors in the telecommunications sector.

data-breach vodafone
11 min read
All Posts Get in Touch