Individual Project

docx

School

George Mason University *

*We aren’t endorsed by this school

Course

320

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

12

Uploaded by KidPuppyMaster1919

Report
The Case Study of Cash App Data Breach Geraldine Arandid Professor Chun-Lung Huang MIS 320-001 May 5, 2023 1
Cash App The simplest way to transfer, spend, save, and invest money is with the Cash App. When the Cash App was introduced in 2013, it offered consumers a practical way to transfer and receive money without using a bank or wire service. Since then, it has broadened its range and currently offers other services including Cash App-connected debit cards, direct deposit assistance, and an investing platform. To compete with mobile payment applications like Venmo and PayPal, Block, Inc., previously Square, Inc., also introduced the app in 2013. At the time, it was initially known as Square Cash. Cash App has its customization of debit cards. Cash App is the US’s top financial app. According to AppMagic estimates, it has had more than 36 million so far this year which is across the App Store and Google Play. Customers may also take advantage of cashback deals from establishments including McDonald’s, Walgreens, Walmart, and Whole Foods (Freitas, 2022). Customers can pay other users who have linked a bank account, credit card, or debit card, or request money from them via the platform. Although Cash App doesn’t have access to transfer the balance to the prepaid card, it can use to add money to Cash App. Through partner banks, the Federal Deposit Insurance Corporation insures the remaining balance in your account. Cash App Investing LLC, a broker-dealer registered with the Securities and Exchange Commission and a participant in the Financial Industry Regulation Authority, offers investing services. In addition, the users of the investing tool can invest as little as $1 in equities. This is accomplished by purchasing a fractional share---a small component of a stock. Through the app, users can also buy, sell, or transfer Bitcoin. Users also may file their taxes for free with Cash App Taxes which used to be Credit Karma Tax. It is gradually becoming a one-stop shop for financial services. Therefore, Cash App is convenient for all customers by using their phones to pay, send, and transfers money. 2
Instruments About 8.2 million current and former customers are being contacted via Cash App’s Investing platform with information and resources related to the incident (Kost, 2023). One of the representatives of Cash App verified the data breach and mentioned that names and brokerage account numbers were among the data in the disclosed reports. It also revealed the valuation, holdings, and stock trading activity for certain investors’ brokerage portfolios for trading. According to reports, the exposed data did not contain any personally identifying data such as usernames, passwords, Social Security Numbers, credit card information, addresses, or banking information (Cybertalks, 2022). They investigated that none of the security codes, access codes, or passwords used to access Cash App accounts were impacted by the hack. In this incident, it was an insider threat attack because, after the termination of that employee, he stole all the information from the Cash App customers to hack it without asking permission, and he had the advantage for that. Even though it had a data breach, Cash App is the most popular mobile payment app in the US. It was developed by Square and has used a variety of various techniques to expand the user base and boost service acceptance. Cash App company has a strategy which is the social media marketing strategy. To drive app downloads, the business has been utilizing innovative viral and influencer marketing methods. One of these tactics is to use sportsmen and musicians in its advertisements and to work with hip-hop influencers and their followers. Cash App has also advertised its commercials on social media apps like Instagram, Twitter, YouTube, Snapchat, and Facebook. With that kind of strategy, Cash App used the 4Cs of successful brand building which are community, collaborations, content, and curation. Overall, Cash App mastered and became successful in its marketing strategy until now. 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The Events Despite of has a lot of benefits in Cash App for all customers and banks and becoming popularity, it has some flaws or issues with that app. Cash App was likely affected and informed by the breach, and it was about 8.2 million current and former Cash App customers (Kost, 2023). The Securities Exchange Commission that Block owns the financial service company in the Cash App, Block filed a report that the employee stole and downloaded all the information without permission. These are the following information that the employee stole and downloaded: Full Name, Brokerage Account Numbers, Portfolio Values and Holdings, and Stock trading activity for one day of trading. According to the New York Times, Cowley interviewed Block, owner of the Square Cash and Cash App, about why Cash App got hacked or data breached. It happened around December 2021 and was made public when a former worker obtained business reports after quitting the job. Also, when they interviewed the company, they explained that reports were available for all employees to examine and download as part of their duties. According to Block, the unidentified person was not prevented from promptly obtaining this information after the employee stopped working for Cash App. With that incident, Block has taken this data extremely seriously and is investigating with the assistance of the appropriate law enforcement and regulatory agencies. Outcomes This incident happened in December 2021; most people think that hacking Cash App is easy. It appears that the information required to access internal documents was given to a hacker or hacking group by a former worker who is terminated or quit the company. To comply with the regulations for publicly listed firms, the company acknowledged the security breach in a filing. 4
This was done to avoid a severe public reaction should the company have tried to ignore the incident. With that, to protect confidential customers and internal information, the business may use biometric authentication in conjunction with other security measures. Following the attack, a digital forensic investigation revealed that an internal threat actor had downloaded reports containing data on Block’s Cash App users residing in the US (Steven, 2022). With the cooperation of law enforcement, a formal investigation into the data breach was carried out. In a separate statement, Block said it will keep researching technical and managerial protections to make sure clients could give the cryptocurrency corporation their sensitive personal data. Ethics Analysis Since inadequate security measures were in place, the Cash App data breach became possible. Also, a new class action complaint claims that Cash App and Block breached in December 2021 and neglected to protect the client data. According to the Cash App and Block class action, the data breach was discovered after Block revealed that one of its former employees had improperly obtained the private information of Cash App investors. Block alerted authorities to the breach and, with the aid of a reputable forensics company that must remain nameless, started an ongoing investigation into the event. It was about 8.2 million customers of Cash App were affected by the breach, and they were informed. Sadly, the delay in sending this breach notification which was sent four months after the incident increased the possibility of additional cyberattacks against the affected customers (Kost, 2023). The investigation continues when I research about Cash App data breach, which happened recently. In 2021, after he left, the employee stole all the information such as the account name, brokerage account number, portfolio values, and stock trading from 8.2 million customers of 5
Cash App. In that case, the company should be stricter with their employees when it comes to logging in or on. The company can also have tighter authentication or authorization when it comes to opening confidential information. In fact, the employee stole all the information after he quit, and the security of online funds is weak and or is not strong enough for Cash App’s system. Ironically, fraudsters have been using rising worries about the security of online money by tricking users of finance apps into believing false warnings about account breaches that can lead to credential theft. However, in this case, it was the former employee who stole all the information from Cash App’s customers. The company didn’t say or explain the purpose why the employee stole it or what was the reason for it. Not just lacking online security, the company should look thoroughly when employees come out or log out of their stations by scanning their IDs. All the companies have their work IDs. Every time they are clocking in or out, they use their ID to scan it or have a biometric scanning. With that, it can help the company to see what of their doing or who is opening the confidential information without asking permission, and to track it down. It may sound or seems that the company is attacking the employees’ files such as privacy files, but it also helps the company to make sure that no one is stealing them. As Kost explained delaying a notification regarding the incident, which was sent four months after the incident from Block to the 8.2 million affected customers was the worst for both company and the customers. In that case, the company made a big mistake because the company didn’t report immediately to the SEC about the incident which was lead that the customers had been suffering from cyberattacks. In my opinion, the company should know better since they knew about the incident with their employee who was stealing all the customers’ information, and they should report it immediately. Also, the company should prioritize the customers by making sure that all of them got their refunds or not. Or if they still have the right information. Since the investigation continues about 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
the data breach, the company should be more secure and strengthen its security for customers and the company’s information at all costs. Recommendations 1. Policy Despite there being inadequate security measures in place, the Cash App data breach became conceivable. Its company may be able to avoid a similar outcome by including these rules in its cybersecurity policy. a. Block account access for previous and future employees The Cash App needs to be more cautious when it comes to employees either leaving or quitting work. They must block or delete their information once they quit or leave. If the fired worker’s accounts had been quickly locked, the Cash App breach might not have happened. Basically, IT teams should be prepared to promptly limit account access using account management software after receiving a termination letter, especially when an employee is to take retaliatory action. b. Utilize MFA to protect all accounts Cash App accounts lack passwords in order to improve user experience and eliminate login friction. Instead, anytime a person tries to log in, they must enter a verification code that was given to their email or phone number to prove their identity. This login procedure has a flaw in that it might be abused by stealing a victim’s email address. Given that the majority of email addresses have previously been exposed to significant data breaches and that recycling their passwords across many solutions and this Cash App login pathway isn’t hard to prevent. 7
All user accounts must be secured with MFA in order to avoid data breaches due to abused login paths. c. Enforce a data leak detection solution A data leak is an unauthorized disclosure of private data resulting from software bugs or data dumps on the dark web, such as the Cash App listings on dark web markets. The most prevalent and challenging type of data breach to control is data leaks from the dark web. Cybercriminals almost instantly post their windfall of stolen account credentials for sale on dark web markets after a data breach. Even while these incidents represent serious security lapses, a payment gateway restricts unauthorized access to listings, therefore they are not the most hazardous kind of data leak. d. Upgrades or improves the data breach notifications Since that incident happened, Cash App got delayed sending data breach notifications. The company must keep on updating about data breaches to inform all the customers. Also, the company must start an internal inquiry and to have informed the relevant law enforcement and regulatory agencies. 2. Technological Cash App must upgrade its systems when employees log in with more verification or authentication codes. In that incident, Cash App has weak security to protect all the confidential information for the customers. If they follow the policy that I mention that it will well benefit the company, it won’t happen again to their company, and they will also gain customers’ trust. 8
3. Organizational Point of View Since that incident happened, the risk of dishonest personnel is not specific to Cash App. A Wall Street Journal poll indicates that roughly 70% of businesses are concerned about the possibility of insider threats. We all know that cyber risks are an increasing issue for businesses of all sizes because they have a major negative impact on financial performance and image. For the duration of 2022, Cash App must prioritize cybersecurity in order to best battle the proliferation of threat actors. The company should do strict or high security when employees go into the systems or let them know the policy. With the cooperation of law enforcement, an official investigation into the data breach was carried out. In a separate statement, Cash App and Block will keep researching technical and managerial protections to make sure clients could give the cryptocurrency corporation their sensitive personal data. Conclusions Cash App is the P2P payment and provides the possibility to buy stocks and bitcoin through its social platform in addition to mobile banking. It also has the Cash App Taxes tool to submit taxes. In addition, Cash App offers to send and receive money fast from their mobile devices. It is well known mobile payment app in the US. With that, it has a lot of good strategies such as advertising on social media platforms and offering the influencers to advertise or to be ambassadors for the company. However, all companies have flaws or technical issues with their customers or clients. In 2021, an employee stole all the information from 8.2 million customers. After he left, he stole the name of the clients, account numbers, brokerage holdings, brokerage portfolio values, and stock trading without asking permission. After that incident happened, 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Block and Cash App sent a data breach in four months. With that the delay in data breach notification, all the customers have been affected by a data breach. When I researched complaints from customers, some customers lost money or bitcoin on that incident. Others have filed a complaint to the court. In that file of the court, it mentioned the majority of data breach lawsuits are negligence, breach of contract, breach of fiduciary duty, and unfair or deceptive trade practices. Although all the technical issues or managerial problems, Block and Cash App are still investigating the data breach. Block claims that the data breach did not expose any private client data, such as social security numbers, bank account information, usernames, or passwords. Block has issued a warning that it is difficult to predict what the final cost of the data breach will be even though the inquiry is still continuing. Additionally, they have said that they would keep reviewing and tightening administrative and technical safeguards to secure information. In that case, Block and Cash App should follow all my recommendations that will help them to prevent or to avoid that situation which is to block all access to the accounts so that no one to employee from previous and future employees, utilize the MFA accounts, to implement data leak protection or solutions, and to use the employee IDs to access all the data in one at a time. In that way, Cash App and Block will take more precautions and be more secure in their security systems. Also, more updates on their technology. 10
Citations Borbely, A. (2023, February 6). How cash app's performance marketing generated 190+million downloads . Medium. Retrieved May 5, 2023, from https://medium.com/scale- fanatics/how-cash-apps-performance-marketing-generated-190-million-downloads- eb8b7dab2af6#:~:text=Summary%20of%20Their%20Strategy,which%20they%20really %20excel%20at. Cash app data breach class action lawsuit . Kantrowitz, Goldhamer & Graifman, P.C. (2022, August 18). Retrieved May 5, 2023, from https://www.kgglaw.com/class-action- lawsuits/cash-app-data-breach-class-action-lawsuit/ Cowley, S. (2022, April 6). Block says a former employee downloaded data on millions of cash app investing customers. The New York Times. Retrieved May 5, 2023, from https://www.nytimes.com/2022/04/06/business/block-cash-app-data-breach.html How did the cash app data breach happen?: Upguard . RSS. (n.d.). Retrieved May 5, 2023, from https://www.upguard.com/blog/how-did-the-cash-app-data-breach-happen Images, timothy a. clary/A. F.-P. G. (2020, June 30). Companies name one of the biggest cybersecurity threats: Their employees . The Wall Street Journal. Retrieved May 5, 2023, from https://www.wsj.com/articles/companies-name-one-of-the-biggest-cybersecurity- threats-their-employees-11592606115 11
Inline XBRL Viewer. (n.d.). Retrieved May 5, 2023, from https://www.sec.gov/ix?doc= %2FArchives%2Fedgar%2Fdata %2F0001512673%2F000119312522095215%2Fd343042d8k.html PYMNTS.com. (2022, August 25). Cash app, block accused of negligence in class action over breach . Pymnts.com. Retrieved May 5, 2023, from https://www.pymnts.com/legal/2022/cash-app-block-accused-of-negligence-in-class- action-over-breach/ Slandau. (2022, May 2). Cash app security breach information; insider threat attack . CyberTalk. Retrieved May 5, 2023, from https://www.cybertalk.org/2022/04/05/cash-app-breach- involves-informing-millions-about-ex-employees-actions/ Steven Steven graduated from Purdue University with a Bachelor’s Degree in Information Technology. (2022, August 24). Was the block cash app data breach an insider snitch? IDStrong. Retrieved May 5, 2023, from https://www.idstrong.com/sentinel/was- the-block-cash-app-data-exposure-an-inside-job/#:~:text=under%20the%20rug.-,What %20Information%20was%20Revealed%20in%20the%20Leak%3F,were%20made %20available%20to%20hackers. What is cash app and how does it work? ZDNET. (n.d.). Retrieved May 5, 2023, from https://www.zdnet.com/finance/what-is-cash-app-and-how-does-it-work-a-comprehensive- guide/ 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CYB 260 PROJECT 2 ANTHONY VELOTTI.docx
CYB 220 PROJECT 3 ANTHONY VELOTTI.docx
CYB 410 Comparing Privacy Protection Laws Anthony Velotti.docx
CYB 420 4-2 Project 1 Anthony Velotti (1).docx
CYB 420 4-1 ANTHONY VELOTTI.docx
Case Study #1.docx
CS#3.docx
Case Study 2.docx
part 3.txt
After_Action_Report_Survey_Template.docx
WBS Handout (1).docx
388CheatSheet.pdf