The Non-Financial Ledger: What a Spreadsheet Cannot Count

There is a number in this settlement: $15 million. Courts and press releases love that number. It sounds serious. It sounds like accountability. But there is another ledger that does not appear in the settlement agreement, and it is the one that actually matters to the people whose lives got turned upside down.

Think about who uses Cash App. It is not a product for people with multiple brokerage accounts and a financial advisor on speed dial. Cash App built its customer base on people who live paycheck to paycheck, people who were locked out of traditional banking, people for whom a $200 unauthorized transfer is not an inconvenience — it is a missed rent payment. It is a bounced check. It is a utility shutoff. It is a choice between groceries and gas. The company knew its user base. It marketed directly to that demographic. Then it failed to protect them.

When a former employee of Cash App Investing walked out with unauthorized access to internal financial reports, the users affected did not get a personal phone call. They got a disclosure. A corporate disclosure, in April 2022, issued because the company was legally required to say something. By then, whatever that employee had seen, copied, or taken was already out. The people whose investment data was in those reports had no ability to go back in time and undo the exposure. They could only wait and worry.

The second breach is, if anything, more insulting. Someone exploited recycled phone numbers — phone numbers that had been reassigned by carriers to new owners but were still linked to Cash App accounts belonging to the original holders. This is a failure so basic, so foreseeable, that calling it an oversight is generous. Telecommunications companies recycle numbers constantly. Any financial platform that uses phone numbers as account access credentials and does not build a system to catch reassignment is making a choice, even if no one in the boardroom ever used those exact words. The people whose accounts were broken into through this vector did not have anything left they could have done differently. They were breached through a gap in a system they trusted with their money.

And then they had to prove it. To get any money from this settlement, class members must submit claim forms with third-party documentation. Not a note you wrote yourself. Not a screenshot. Third-party documentation. Receipts from a credit bureau. A police report. A copy of the notification they sent to Cash App — as if people keep organized files of every time they told a corporation about fraud. People who did everything right, who called Cash App, who filed police reports, who tracked every penny lost, still get capped at $2,500 for out-of-pocket losses and $75 for their time. Three hours. That is what the settlement values your time at if you spent hours on hold with customer support trying to get your money back. Three hours.

The people who were harmed most — the ones who lost money they couldn’t afford to lose, who spent weeks trying to get Cash App to fix what happened, who had to borrow from family or skip payments while waiting for resolution — those people are the ones most likely to have lost or never had the documentation the claims process demands. The settlement, by design, filters them out. The money flows toward people who were harmed enough to have records, but not so harmed that their lives were too disrupted to keep records. The most vulnerable get the least.

Block, Inc. and Cash App Investing signed this agreement in February 2024. They admitted nothing. They denied everything. They funded a $15 million pool, subtracted attorneys’ fees of up to $3.75 million, subtracted administrative costs, subtracted taxes, and handed the remainder to a settlement administrator to distribute in checks that expire after ninety days. If you miss the deadline, your check is voided. If your check bounces back as undeliverable, you get thirty more days, then possibly sixty more. The bureaucracy of being wronged is exhaustive. For people who are already struggling, it is designed to exhaust them out of their share.

“The people who were harmed most are the ones most likely to have lost or never had the documentation the claims process demands. The settlement, by design, filters them out.”

None of this appears in the settlement agreement because none of it is legally relevant to the settlement agreement. That is the point. The law asked: did Block pay? Yes. Did users release their claims? Yes. Case closed. The ledger that tracks dignity, stress, lost sleep, the shame of telling a landlord your money was stolen from an app you trusted, the practical impossibility of replacing stolen funds when you have no savings cushion — that ledger stays open, permanently unreconciled.

Legal Receipts: What the Document Actually Says

The following are direct, verbatim excerpts from the Class Action Settlement Agreement and Release, Case 3:22-cv-04823-AMO, Document 76-2, filed March 3, 2024. Read them carefully. Corporate legal documents are designed to sound dry. The implications are not.

• This paragraph formally confirms two distinct breach events by Block/Cash App entities, not one. The first was an insider threat: a former employee with unauthorized access to internal financial reports. The second was a systemic infrastructure failure: the company left active account links tied to phone numbers that phone carriers had already reassigned to entirely different people.
• Block disclosed the phone number breach in September 2023 — more than a year after the first employee breach was disclosed in April 2022. Users had no way to know whether their accounts were vulnerable during that entire window.

• Block pays $15 million and admits absolutely nothing. This is standard in class action settlements, but “standard” does not mean it is not outrageous. Users give up every legal claim they have — for years, across multiple statutes — in exchange for a check from a company that officially maintains it did nothing wrong.
• The Released Claims are extraordinarily broad. By accepting settlement funds, class members release claims under the California Consumer Privacy Act, the California Privacy Rights Act, the Electronic Fund Transfer Act, the FTC Act, California’s Unfair Competition Law, and more. Block gets full legal immunity across the board.

• Block can cancel the entire settlement — and owe nothing — if too many users opt out. The threshold number is secret. It was hidden from public view, available only to the judge in a closed review. Class members have no way to know how close the opt-out count came to triggering cancellation, or how many people had to stay in the class to make the deal hold.
• This clause protects Block, not consumers. It exists to ensure Block can walk away from any deal where too many harmed users decide they want to preserve their right to sue independently. A company that did nothing wrong would have no particular reason to need this clause.

• The ceiling on harm recognition is $2,500 plus $75 in time value. For users who lost more than $2,500 to unauthorized transactions, this settlement does not make them whole. It simply limits what the company is exposed to per person.
• Lost time is valued at $25/hour for a maximum of three hours. Cash App’s CEO and senior executives earn thousands of dollars per hour in compensation. The company structured a settlement that values a harmed user’s time at a fraction of minimum wage in many U.S. cities.

• If enough people file claims, every individual payout shrinks. The $15 million is not guaranteed per person; it is a shared pool. After attorneys’ fees (up to $3.75 million), administrative costs, and taxes are deducted, the net pool available to users is materially smaller than $15 million. High claim volume means pro rata cuts to every approved claim.
• Block’s total liability is explicitly capped at $15 million regardless of how many users were harmed or how much each lost. The settlement agreement states: “Defendants’ total liability hereunder does not exceed Fifteen Million Dollars ($15,000,000.00).”

“Block can cancel the entire settlement and owe nothing if too many users opt out. The threshold number is secret, submitted only for private judicial review.”

Societal Impact Mapping: The Damage Beyond Your Account

Public Health

Financial insecurity and fraud are documented drivers of psychological harm. When a fintech app serving unbanked and underbanked populations fails to secure user data and funds, the downstream effects land on people who have the fewest resources to absorb them.

• Unauthorized withdrawals and fraudulent transfers can destroy financial stability instantly for users living without savings buffers. The settlement’s own definitions acknowledge that affected users may have incurred overdraft fees, late payment fees, and missed payment charges as a direct consequence of the breaches — costs that compound for low-income users in ways that create cascading financial trauma.
• The settlement explicitly acknowledges “Lost Time” spent responding to the breaches, capping compensation at three hours. Research consistently links prolonged bureaucratic dispute processes — filing police reports, disputing transactions, navigating call center queues — with elevated stress, lost work hours, and reduced mental health outcomes, particularly for people without the flexibility to take time off or access to professional help.
• The phone number recycling breach created a category of victim who did nothing wrong at any step. They didn’t reuse passwords. They didn’t click a phishing link. Their phone carrier reassigned their old number, and Cash App’s system never caught it. The helplessness of being victimized through a gap entirely outside your control is a documented component of fraud-related psychological harm.
• Cash App users skew toward younger, lower-income demographics who use the platform as a primary or sole banking mechanism. For these users, the loss of account access or funds is not a temporary inconvenience; it is a direct threat to housing stability, food security, and medical access.

“For users who live without a savings buffer, a single unauthorized transfer can collapse a month of financial planning in seconds.”

Economic Inequality

The structure of this settlement encodes the same economic inequalities that made these users vulnerable in the first place. The design of the claims process systematically disadvantages the least financially resourced class members.

• The $2,500 cap on out-of-pocket loss reimbursements means that anyone who lost more than $2,500 to unauthorized account activity is legally settling for less than their actual harm. This cap was set by a company that generated billions in revenue. It was not set by a court based on documented average losses.
• The documentation requirements — third-party receipts, police reports, copies of notifications sent to Cash App — place the burden of proof on the victim. People who live in areas with understaffed police departments, or who distrust law enforcement, or who simply could not navigate Cash App’s customer support system well enough to get a written record of their complaint, face systematic exclusion from the claims process.
• Class members whose checks go uncashed or are returned as undeliverable face a cascading bureaucracy of reissuances with 60-day expiration windows. People experiencing homelessness, domestic violence situations requiring frequent address changes, or incarceration — all populations that correlate with Cash App’s lower-income user base — face a disproportionate risk of missing these narrow windows and losing their settlement payment entirely.
• Up to $3.75 million of the $15 million fund is available to class counsel in attorneys’ fees before a single dollar reaches a harmed user. The named plaintiffs receive $2,500 service awards each. The people who did the work of bringing the case are compensated far above what the average class member will ever see.
• The pro rata reduction clause means that high claim volume shrinks every payout. Block is the only party whose maximum exposure is fixed and guaranteed. Every other party — users, counsel, administrator — bears the risk of an underfunded pool. The company that caused the harm carries the least financial uncertainty in the resolution.
• Block and Cash App Investing retain secret opt-out threshold protection. If enough affected users decide to seek justice independently — likely those with the largest individual losses, the ones who were harmed most — Block can legally void the entire deal. The settlement structure actively discourages the most-harmed users from exercising their legal rights.

The “Cost of a Life” Metric: What $15 Million Actually Means

Who Is Who: The Corporate Structure Behind the Breach

Understanding who is responsible requires understanding the corporate layers involved. The settlement names two distinct defendants, both of which signed the agreement in February 2024.

What Now: Who to Hold Accountable and What to Do

Block, Inc. and Cash App Investing signed this settlement. These are the people who signed on behalf of the corporations, as documented in the settlement agreement filed with the court on March 3, 2024.

• Chrysty Esperanza, Chief Legal Officer of Block, Inc. — signed February 17, 2024. She is the named legal officer who formally executed this agreement on behalf of Block.
• Luis Olivera, CEO of Cash App Investing LLC — signed February 17, 2024. He is the named chief executive who executed the agreement on behalf of Cash App Investing LLC.
• Aravind Swaminathan and Michelle Visser of Orrick, Herrington & Sutcliffe LLP — listed as Cash App’s legal counsel throughout the proceeding and in the settlement document.

Watchlist: Regulatory Bodies With Jurisdiction

• Consumer Financial Protection Bureau (CFPB): The CFPB has direct authority over financial products and services, including mobile payment platforms. The Electronic Fund Transfer Act, cited in the Released Claims, is a CFPB-enforced statute. File complaints at consumerfinance.gov/complaint.
• Federal Trade Commission (FTC): The FTC Act is explicitly named in the Released Claims. The FTC has authority over unfair and deceptive trade practices in financial services. Report at reportfraud.ftc.gov.
• Securities and Exchange Commission (SEC): Cash App Investing LLC operates as an investment platform. The SEC has jurisdiction over data security practices at registered investment platforms. Contact the SEC at sec.gov/tcr.
• California Attorney General: The settlement cites the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California Consumer Records Act. California’s AG office has enforcement authority over all three. File at oag.ca.gov/privacy/ccpa.
• State Financial Regulators: Block and Cash App operate under money transmitter licenses in multiple states. If you were harmed outside California, your state’s financial regulator or attorney general may have concurrent jurisdiction. Look up your state regulator through the Conference of State Bank Supervisors (csbs.org).

Mutual Aid, Organizing, and Grassroots Resistance

• If you are in the settlement class, file your claim. Even a small payout is yours. Go to the settlement website (check the court docket for Case 3:22-cv-04823 on PACER or the settlement administrator’s site for the current URL) before the claims deadline. Do it now, before you forget.
• Document everything with every financial app you use. Screenshot transaction histories monthly. Keep records of any dispute you file. The documentation requirements in this settlement are a preview of what every fintech claims process looks like. Prepare now.
• If you lost more than $2,500 and have not yet filed a claim, consult an attorney before the opt-out deadline. Opting out preserves your right to sue independently. The opt-out window is 35 days after the Notice Date. Once it closes, you are bound by this settlement regardless of your actual losses.
• Support community banking and credit unions. Cash App’s user base is disproportionately composed of people who were shut out of traditional banking. Local credit unions and community development financial institutions (CDFIs) offer many of the same services without the surveillance capitalism business model. Find a CDFI at cdfifund.gov/programs-training/certification/cdfi.
• Demand real data security legislation at the federal level. Contact your congressional representatives and demand federal consumer data protection law with private rights of action and mandatory minimum security standards for financial platforms. The Electronic Fund Transfer Act, cited in this case, was last substantially updated in 1978.
• Share this investigation. The settlement was filed publicly. The documents are real. Forward this article to anyone who uses Cash App. The settlement notice process reaches only those with active email addresses on file. Word of mouth reaches everyone else.