This week just keeps getting worse for Jack Dorsey-aligned products.
On Tuesday, Dorsey’s fintech business Block found itself on the receiving end of a class action lawsuit accusing the company of failing to properly protect personal data of some 8.2 million Cash App investing customers compromised during a 2021 breach. News of the lawsuit came just hours after a whistleblower at Twitter, Dorsey’s previous company, went public with details of the company’s allegedly incredibly lax security policies that he says may have put users’ data at risk.
The complaint accused Block of negligence for allowing a former employee to gain access to Cash App Investing customers’ full names, brokerage account numbers, trading activity and other personal information. The former employee allegedly downloaded the data during his time at the company without Block’s authorization.
Though it remains unclear exactly just how the breach occurred, the suit claims, “there is no doubt” Block failed to adequately protect its customer’s data. In other words, Block’s alleged shoddy security practices allegedly allowed the former employee to make off with the data in the first place.
“Defendants [Block] disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate and reasonable administrative and data security measures to ensure that Plaintiffs’ and Classmembers’ PII was safeguarded from access by former employees,” the suit alleges. “Among other things, Defendants failed to implement data security measures designed to prevent this release of information to former employees.”
Block did not immediately respond to Gizmodo’s request for comment.
Though Block previously released the types of data compromised in a disclosure report submitted to the U.S. Securities and Exchange Commission earlier this year, the lawsuit goes a step further and links that breach to fraudulent behavior costing Block customers time and money. The suit details accounts of plaintiffs who said they noticed fraudulent charges on sites like Amazon following the breach and others who claim they spent dozens of hours sifting through unauthorized charges and desperately trying to get reimbursement. One of the plaintiffs, Chicago-based Raymel Washington, allegedly dealt with unauthorized transactions in his Cash App account totaling $394.85 that he was never able to get back from Cash App.
The lawsuit also takes issue with the amount of time it took Block to notify customers of the reported breach. According to the suit, Block waited four full months to notify customers after the initial discovery of the breach. That delay, the suit claims, resulted in customers facing avoidable harm.
“Defendants’[Block’s] notice of the Data Breach was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how the unauthorized former employee was able to access its networks, whether the Private Information accessed was encrypted or otherwise protected, or how it learned of the Data Breach,” the suit reads.
The new lawsuit comes on the heels of disclosures sent to Congress calling into question the security practices of Twitter, Dorsey’s former mainstay company. Speaking with CNN and The Washington Post Tuesday, former Twitter Head of Security Peiter “Mudge” Zatko claims Twitter executives misled its board and regulators over security vulnerabilities impacting the platform and alleged Twitter does not reliably delete its users’ data once they’ve left the platform. Zatko claimed that around half of full-time Twitter employees have access to vast amounts of user data.
Though Dorsey officially jumped ship from Twitter’s board back in May in somewhat dramatic fashion, the founder played a critical role in the company’s 16 year history.
You can read the class full class action lawsuit here: