According to FINRA, Cash App Investing LLC was censured and fined $375,000 for failing to establish and maintain a supervisory system reasonably designed to safeguard customer information.

The violations stemmed from a significant data security lapse involving a trade reconciliation database. A firm representative had designed and built this database, and when he departed the company, the firm failed to terminate his access credentials. While the firm properly disabled his access to other systems, the trade reconciliation database was overlooked because it existed outside the firm's standard security infrastructure.

The consequences were severe. Beginning in October 2021, as the firm was transitioning the database into its proper data security infrastructure, the former representative accessed the system and downloaded reports containing the names and account numbers of approximately 8.2 million customers. For roughly 3.4 million of these customers, the downloaded data also included account values and holdings information.

The firm did not detect this unauthorized access for approximately three months. Once discovered, Cash App Investing took immediate remedial action: terminating the representative's access, following its cybersecurity incident response policy, promptly notifying affected customers and regulators including FINRA, and implementing enhanced cybersecurity controls and procedures. FINRA ultimately barred the responsible representative in February 2023.

This case serves as a critical reminder about the importance of comprehensive data security protocols. In today's digital age, customer data is an invaluable asset that requires constant protection. Firms must ensure that access controls extend to all systems containing sensitive information, not just primary databases.

For investors, this case underscores the importance of monitoring your accounts for any suspicious activity and promptly reporting concerns to your brokerage firm. While firms have regulatory obligations to protect your information, remaining vigilant about your own financial data is essential. If you receive a data breach notification from a financial institution, take it seriously and consider implementing additional security measures such as credit monitoring.