Block data breach
In Re Block Inc.
Date: Sept. 9, 2025
Issue: Whether Block Inc. made false statements about its data security in connection with an alleged data breach by a former employee.
Case Summary: A New York federal court dismissed a consolidated class action that alleged Block Inc. made false statements about its data security related to a former employee’s data breach.
On Dec. 10, 2021, Block allegedly experienced a data breach when a former employee accessed the company’s networks and downloaded Cash App reports obtained during his previous employment. The former employee downloaded personal identifiable information (PII) of approximately 8.2 million Cash App users. On April 4, 2022, Block publicly announced the incident in connection with filing its Form 8-K with the Securities and Exchange Commission (SEC).
Plaintiffs brought two class actions alleging Block misrepresented its data security. The first, filed in October 2022, asserted Exchange Act claims by investors in Block securities; the other, filed in January 2023, asserted Securities Act claims by Afterpay investors in the Block merger. The court consolidated the cases in March 2023. Block then moved to dismiss, arguing its pre-incident and post-incident statements were neither false nor misleading.
The court granted Block’s motion to dismiss. First, the court ruled Block’s pre-incident statements were not materially misleading. Plaintiffs relied on SEC filings, privacy notices, and the Afterpay Scheme Booklet to support their claim that Block misrepresented its data security before the alleged breach. However, the court determined Block’s disclosures and cautionary language about possible breaches made no promises about the adequacy of its controls. The court explained that statements like “we take reasonable measures” or “we do a lot to keep your data safe” were non-specific puffery, not material misrepresentations.
Next, the court ruled that Block’s post-incident statements were not materially misleading, as plaintiffs failed to show Block knew of the breach when they were made. It held that shareholder communications regarding the Afterpay merger and growth created no duty to disclose, as they did not address data security. Additionally, Block’s ISO certification and risk disclosures were not actionable absent knowledge of the breach. For Afterpay shareholders, the court ruled Block had no duty to disclose information it did not know. Accordingly, plaintiffs failed to state claims under the Exchange Act or the Securities Act.
The court also concluded plaintiffs failed to adequately plead scienter. To state a Section 10(b) claim, they had to show intent to defraud or recklessness, but in the court’s view, their allegations showed neither motive nor strong circumstantial evidence. The court rejected the claim that Block should be presumed to know of the breach or inadequate controls, finding no facts supporting scienter.
Bottom Line: The court concluded the alleged statements were not materially misleading as a matter of law, and plaintiffs failed to adequately allege scienter with respect to their fraud claim.
Documents: Opinion
