Fintech giant Block, formerly known as Square, has confirmed a data breach that affected 8.2 million users, involving a former employee who downloaded reports from Cash App that contained some U.S. customer information.

In a filing with the Securities and Exchange Commission (SEC) on April 4, Block said that the reports were accessed by the insider on December 10. “While this employee had regular access to these reports as part of their past job responsibilities, in this instance, these reports were accessed without permission after their employment ended,” the filing reads. 

Block said the reports the former employee accessed did not feature personally identifiable information such as usernames or passwords, Social Security numbers, dates of birth, payment card information, addresses and bank account details.

In addition, the fintech company confirmed it is working with law enforcement to conduct a formal investigation and bolstering security processes to protect employees and users, and ensure data protection.

Data theft by departing employees is a major cybersecurity risk to companies. In fact, as many as 1 in 4 employees still have access to data at a former job, according to Beyond Identity research. Yoav Shaked, VP of Product Management at Grip Security, says, “Ex-employees having access to systems is more common than you might think. This creates a huge security risk that has largely gone unnoticed up to now, but we’ll likely see more of these types of data breaches in the future.”