Block claims ex-employee downloaded customer data after leaving firm

Leak highlights worker offboarding policies as SaaS use grows

A former employee with Block used the digital financial services firm's Cash App products to access and download personal information about US customers in December 2021, the firm has claimed.

In a filing this week with the Securities and Exchange Commission (SEC), Block officials alleged the ex-employee on December 10 downloaded reports of the company's Cash App Investing subsidiary.

The data, it said, included such information as the full name and brokerage account number – a unique identification number linked to a customer's stock activity – as well as brokerage portfolio value, holdings and stock trading activity.

It's common for ex-employees to feel entitled to information of customers they worked with or of intellectual property the worked on...

The leak did not include usernames, passwords, Social Security numbers or dates of birth. There also were no security codes, access codes or password information to access Cash App accounts in the reports, Block said.

The breach is forcing Block's Cash App Investing subsidiary to contact circa 8.2 million current and former customers about the situation and is another warning for organizations to harden policies that address former employees and information management, particularly as companies increasingly adopt software-as-a-service (SaaS) products that are accessible via the internet.

"This situation stresses the need for a well-defined employee offboarding process and possibly even the dangers of shared passwords within organizations," Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, told The Register.

"Without a strong offboarding process, accounts that should be disabled can easily be missed, leaving them open for abuse by ex-employees. Shared passwords are equally as dangerous, especially if they are not changed immediately after an employee leaves."

It's common for ex-employees to feel entitled to information of customers they worked with or of intellectual property they worked on, so it's incumbent on enterprises to remove access to such data quickly and efficiently when workers leave, Kron said.

It was unclear from the SEC filing how the supposed former Block employee was able to access the reports or who the firm alleges the ex-worker is - the company only said that "while this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended."

Officials with the fintech company also didn't detail exactly when they learned of the stolen information, only that they "recently determined" that it occurred. They notified regulators and law enforcement.

While company officials haven't concluded their own investigation, they said a preliminary assessment and the information they know now leads them to believe the incident will materially impact the business's operations or financial results.

That said, the execs added that they continue to "review and strengthen administrative and technical safeguard to protect the information of its customers."

Are you sure you signed the departing user out of all their accounts?

Managing the myriad accounts created for employees is becoming increasingly complex with the growing use of SaaS tools, according to Chris Clements, vice president of solutions architecture at cybersecurity vendor Cerberus Sentinel.

Historically an employee would have a single account in a central authentication server like Microsoft's Active Directory that would give them access to networks and applications. When the employee left the company, all that was needed was disabling or deleting that single account.

"Today, however, an organization may have dozens of SaaS solutions in use, many with stand-alone authentication systems not tied to the company's internal authentication database," Clements told The Register.

"In this situation, it can be difficult to identify all of an exiting employee's accounts and coordinate with potentially many different teams that manage the SaaS products to ensure access is removed."

Complicating things even more, often these third-party hosted services have their own logging and auditing functions that aren't tied into an organization's centralized logging or security information and event management (SIEM) system for easy review.

"This leaves the security team blind to suspicious behaviors or authentication attempts and relies on the team managing the SaaS solution for the organization to have a process for regular log review as well as the expertise to understand if events they are seeing indicate a potential problem," he said.

"Because users can typically access these cloud-based solutions from anywhere, unless the security team or the cloud-application administrator is actively watching the security logs, it could be months or years before unauthorized access is detected and shut down."

Enterprises need to ensure that threats like user account proliferation are part of their risk management strategy, Clements said. That includes having a formal user account request process for generating a complete list of all internal and external accounts created by an employee that can be removed after they leave the company.

In addition, companies need a vendor management strategy that considers threats that might arise when adopting a third-party service and proactively puts in strategies to limit potential damage. For example, enterprises can require that their vendors prove cybersecurity due diligence and ways the service can be adapted to provide easier management and monitoring by internal teams.

According to the filing, the former employee allegedly downloaded the reports on the same day that the company officially changed its name from Square to Block, creating a single brand for its various products, including Tidal – a music streaming service – Cash App and Square. Square announced the name change more than a week earlier and days after founder and CEO Jack Dorsey stepped down from his CEO position at Twitter, which he co-founded. ®

Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022