In what can be dubbed as one of the most significant and tactful data breaches of the year, trading platform Robinhood notified that a breach on November 3, had compromised the data of close to 7 million customers to varying degrees. The hackers then demanded an extortion payment.
According to the firm‘s statement, the attacker gained access to a list of about 5 million email addresses and the full names of another 2 million people. “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately ten customers having more extensive account details revealed”, it said.
The company said that the incident did not involve the unauthorized access of any of its customers’ financial data. “We believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the company said in the statement.
During the attack, which was an act of social engineering in its fullest definition, an unauthorized party gained access by posing as the company’s employee.
After the intrusion was contained, the unauthorized party demanded an extortion payment. The team from Robinhood promptly informed law enforcement agencies. Robinhood said it is working with Mandiant to make “appropriate disclosures” to the affected customers. The company also noted that it put its customers on notice about the incident.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
After announcing that its customer support systems were compromised, shares of Robinhood fell 3% in after-hours trading.
A Poor Track record
Robinhood is a popular mobile app that lets users trade securities, cryptocurrencies, and Exchange-traded funds without paying commission. It’s also an easy-to-use site but the app has a poor track record on both the security and resilience fronts.
In 2019, it admitted storing passwords in plaintext. Robinhood was also fined after it was found to have provided inaccurate information to investors. One of its users even took his own life due to the app’s UI, which led him to believe he was $750,000 in the hole from an options trade.
In 2021, it became a platform for individuals looking to profit from a short squeeze of stocks and commodities. Charlie Munger and Warren Buffett have both criticized Robinhood for its role in the GameStop mania, which they said was partly caused by people’s desire to gamble and Robinhood encashing those sentiments.
Robinhood also had one of the worst initial public offerings in history. In its S-1 filing, the company also disclosed that the US Attorney’s Office had searched CEO Vladimir Tenev’s phone following an SEC Enforcement Division inquiry.
Cause of Concern
Being a fintech app, the company holds the financial information of almost all of its subscribers. However, the company maintains that they believe that this sensitive data was not compromised.
The exposed data is invaluable for malicious actors to launch spear-phishing and other targeted attacks. Additionally, many fields such as date of birth and physical addresses are static. Customers commonly use them in their passwords. Also, a few services use them for verification checks when logging in to systems. Hence, the industry is worried about the repercussions of the hack.
The nature of the hack, where the hacker posed as an employee, shows why companies should take a more human approach toward cybersecurity. Despite knowing that humans are generally the weakest link in a cyber defense infrastructure and about 90% of cyber-attacks are caused by human errors, employee empowerment is still neglected.
Creating employee awareness and vigilance, invoking a stakeholder mentality among employees with regard to cybersecurity and cybersecurity training, need to be a consistent part of every company’s cybersecurity plan. Hopefully, the Robinhood hack will bring much-needed attention to this approach and empower the employees who use cyber tools and methods with better awareness to follow them.
Stay tuned to this space for more information on this hack.