Block accused of woefully mishandling data breach affecting 8.2 million users

A stylised cube with marbled colour sits on a white background, with the word 'BLOCK' beneath

Multinational tech firm Block is facing claims that it mishandled a major data breach, and faces a class-action lawsuit over its response time and mitigations to the incident.

The plaintiffs argue that because of a four-month delay between the company learning about the data breach and notifying affected customers, Block is in violation of several pieces of consumer legislation. The complaint cites acts such as the California Customer Records Act, Illinois Consumer Fraud Act, and Texas Deceptive Trade Practices Act.


Future proofing data infrastructure with more performance, scalability, and resiliency

Dell PowerStore


In December, Block learned that one of its former employees had downloaded information on users of the company’s mobile payment service app Cash App. Using the investment service that Cash App offers, the employee was able to access information such as customer names, brokerage account numbers, and trading activity for a specific day.

Around 8.2 million users were advised about the breach four months later in April, when the company made the matter public. The plaintiffs argue that this is an unacceptable amount of time for the company to have waited before acting, and that the information eventually provided did not properly explain the failure in its security.

“Defendants’ notice of the Data Breach was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how the unauthorized former employee was able to access its networks, whether the Private Information accessed was encrypted or otherwise protected, or how it learned of the Data Breach," the lawsuit contends.

“Even worse, Defendants failed to offer any credit or identity theft monitoring services for Plaintiffs and Class members."

The plaintiffs have also stressed that the breach exposes the security systems Block has in place as inadequate, and that failure to disclose this to its customers amounts to deceptive practice. Several acts of legislation are used to define deceptive practice, such as the Texas Deceptive Trade Practices Act which sets it out as “[r]epresenting that goods or services are of a particular standard, quality or grade, if they are of another”.

Block had stated in April that it spoke to law enforcement following the breach, but failed to provide a material explanation of how a former employee could still access sensitive information.

The plaintiffs argue that they incurred losses and harm to their privacy as a result of the breach, something that could have been avoided if Block had informed them of the breach immediately. This includes “lost time dedicated to the investigation of and attempt to recover the loss of funds and/or cure harm to their privacy”.

Cash App is a popular app for sending money, with an especially active userbase in the US, and over 70 million active customers worldwide in the period 2020-2021. In addition to operating Cash App, Block owns the company Square, which offers card payment hardware and software to businesses, and buy now pay later (BNPL) platform Afterpay, which it acquired in 2021.

IT Pro has approached Block for comment.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.