We know hackers are getting more sophisticated. Cyber attacks and data breaches make the news on a regular basis, and the costs involved are staggering. But as organizations work to shield themselves from the growing threat of outside hackers, failing to look for threats from within could be just as dangerous.
In early April, Block filed an SEC disclosure driving that point home: their Cash App Investing product was the target of a data breach perpetrated by a former employee. Not a scary ransomware gang or savvy hacker, but someone they had hired and willingly provided access to sensitive information.
The Cash App Breach: What We Know
Block, the company formerly known as Square and best known for the Square payment system, shared in the disclosure that an ex-employee had accessed records for more than eight million users of the Cash App Investing platform. The reports they stole included customers’ names, their Cash App brokerage account numbers and, in some cases, data on their portfolio value, holdings, and trading activity. The company has taken steps to contact the customers impacted by the breach.
Block has shared that the perpetrator had regular access to these reports during their employment with the company. But they should not have been able to access them anymore once their job with the company had ended. The company didn’t provide any additional information on how the ex-employee was able to gain access, or what steps they’ve taken to ensure a breach of this type doesn’t happen again.
Thankfully, the breach did not include more sensitive data like passwords and social security numbers. But that doesn’t mean the information accessed can’t do real damage. Any consumer data criminals buy on the dark web can be turned into ammunition for social engineering campaigns. The more a scammer knows about a person, the more persuasive they can be in convincing you to hand over personal information.
Risk Management Lessons from the Cash App Breach
For risk management professionals, every data breach and cyber-attack can provide lessons that help you make your risk management practices stronger. Here are a few things we can all learn from the Cash App breach.
1. Don’t forget the human side of risk.
“Sadly, with so much industry focus on investments in technology solutions to fend off malware, ransomware, and other external attack vectors, we often overlook the insider threat and the risk from human factors as a predominant cause of security breaches,” suggests Andrew Moyad, CEO of Shared Assessments.
Humans are often the weakest link in an organization’s security apparatus. Usually, that’s due to carelessness. But occasionally, as in this case, it’s an issue of someone you think you can trust behaving with malicious intent. In some ways, that’s harder to anticipate and prepare for, but it’s crucial to try.
2. Implement least privilege access.
The principle of least privilege access means only providing people with as much access as they need to do their job. That includes ensuring that access is revoked immediately upon termination—something that would have prevented the Cash App breach.
“This type of breach occurs more widely than most people may realize,” Moyad warns. “It’s a textbook example of why the rapid removal of privileged access during employee terminations is an essential hallmark of strong cybersecurity programs.”
It may be an important component in a strong cybersecurity program, but that doesn’t mean it’s as common a practice as it should be. “One of the most common findings in service organization controls (SOC) reports over the last decade has been the absence of timely revocations during employee termination, so Block, Inc. is not alone here,” Moyad says.
3. Internal hiring and employee turnover impact security.
So much has been said and written in recent months about the Great Resignation. But most of the discussion in risk management circles has focused on its impact on hiring and turnover in cybersecurity jobs. Yet mass resignations bring up another notable risk management issue: the people you hire, fire, and those that resign all have the potential to be security risks. Anyone that has (or has had) access to your company data could misuse it.
That makes it critical that organizations practice discretion in choosing who to hire and which other companies to work with. Anyone that will gain access to your customer data and internal systems must be trustworthy. It also provides another reason (amongst many) to ensure employees are treated fairly and with respect. Satisfied employees are less likely to intentionally misuse or expose the data they’re entrusted with (although fair treatment isn’t a guarantee they won’t).
On top of all that, high turnover rates make keeping data secure and access permissions up-to-date that much harder. Finding the right employees and treating them well enough to keep them around as long as possible is good for business on multiple levels, not least of which is its impact on security and risk management.
Conclusion
No company wants to make headlines for a data breach. And if anything, it’s more embarrassing when the cause is misplaced trust in a former employee and the carelessness of not revoking access when you should have. Putting processes in place to enact the least privileged access can keep your organization from facing the same embarrassment. And placing a priority on hiring trustworthy people and treating them right can reduce your risks as well.
