Cash App Investing LLC (“Cash App”), a broker-dealer based in Portland, Oregon, recently filed a Letter of Acceptance, Waiver, and Consent (“AWC”) with the U.S. Financial Industry Regulatory Authority (“FINRA”) in order to settle allegations that the company failed to reasonably safeguard customer information. According to the AWC, without admitting or denying FINRA’s findings, Cash App consented to the imposition of a censure and the payment of a $375,000 fine to resolve allegations that the company violated Rule 30(a) of Regulation S-P of the Securities Exchange Act of 1934 and FINRA Rules 3110 and 2010, which require firms to establish and maintain systems that protect customers’ records and information against unauthorized access that could substantially harm or inconvenience the customers.
According to facts provided in the AWC, Cash App self-reported a data breach to FINRA that occurred, between October 2019 and March 2022, when a former employee who had designed and built a trade reconciliation database for the company not only accessed the database but downloaded six reports from the database following his/her departure. The data breach reportedly took place in December 2021, two months after the employee resigned. According to the AWC, the employee was reportedly the only individual who regularly accessed the web-based database since it was created in November 2019. While Cash App’s cybersecurity policy required the company to immediately terminate the employee’s access to firm databases and networks upon his/her departure, the firm inadvertently failed to disable the employee’s access to the trade reconciliation system. The employee was allegedly able to download reports that contained the names and account numbers of approximately 8.2 million customers and account value and account holdings of approximately 3.4 million customers. Cash App detected the unauthorized access in March 2022, approximately three months after the breach occurred.
According to the AWC, Cash App was able to immediately disable the former employee’s access when the breach was discovered and reportedly notified customers and regulators, including FINRA, in a timely manner. The discovery also allegedly prompted Cash App to take steps to enhance its security systems, which included a full migration of the trade reconciliation database into the firm’s data security infrastructure.
Cash App Letter of Acceptance, Waiver, and Consent