A proposed $15 million settlement stipulates that account holders can file for losses related to breaches disclosed in 2022 and 2023. A deadline looms for those claims.
People who have used Cash App accounts may be entitled to receive up to $2,500 each as part of a $15 million settlement related to a data breach involving the popular payments and investment platform, according to court documents and the company.
The exposure of sensitive information for more than eight million users of Cash App Investing was revealed in a regulatory filing in 2022 by Block, its parent company. The data was exposed when a former employee downloaded corporate reports after leaving the company, according to the filing.
A second breach involving more customers took place in 2023 with Cash App’s person-to-person payment services after the defendants failed to take security measures, according to a consolidated class-action complaint filed in February in United States District Court for the Northern District of California.
It said that Block and Cash App were negligent in allowing unauthorized access to personal identification information, and that they mishandled complaints about the breaches and fraudulent transactions.
A proposed $15 million settlement agreement was filed in March, giving holders of Cash App accounts from Aug. 23, 2018, through Aug. 20, 2024, the option of submitting a claim for out-of-pocket losses of up to $2,500, as well as other costs.
Block and Cash App have denied they did anything wrong and said that the settlement was not an admission of liability.
The deadline to submit claims is Nov. 18, and a final court hearing is set for Dec. 16.
A spokeswoman for Block declined to comment on Friday, and referred to recently published documents on the settlement administrator’s website. News of the settlement was published on Friday by USA Today and other news organizations.
Block has previously said that the information disclosed included customers’ names and Cash App brokerage account numbers. For some customers, the breached data included portfolio value, holdings and trading activity. User names, passwords, Social Security numbers and other personally identifiable details were not included in the breach, the company said.