The Robinhood financial stock trading app has admitted a ‘data security incident’ and warned that a third party had obtained access to the email addresses of five million customers.

The admission came in a blog post on Monday, in which the trading platform said the attack had been contained and no social security numbers, bank account numbers, or debit card numbers had been exposed.

“Late in the evening of November 3, we experienced a data security incident,” the platform blogged. “An unauthorised third party obtained access to a limited amount of personal information for a portion of our customers.”

Security incident

“The unauthorised party socially engineered a customer support employee by phone and obtained access to certain customer support systems,” said the platform.

“At this time, we understand that the unauthorised party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.”

But a small number of customers had more sensitive personal information disclosed, after 310 people had their name, date of birth, and postcode compromised.

Ten of these customers had “more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”

“After we contained the intrusion, the unauthorised party demanded an extortion payment,” blogged the platform. “We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

Layered security

The hackers used a similar attack vector, to the spear phishing compromise of a staffer at Twitter in July 2020.

A security expert noted the need to improve staff training to recognise these types of attacks.

“The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error,” noted Chris Deverill, UK director at Orange Cyberdefense.

“The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness,” said Deverill.

“Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively,” said Deverill.

“More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option,” said Orange Cyberdefense’s Deverill.

“This latest data breach is a stark reminder of the critical importance of user awareness and education amongst organisations,” Deverill concluded. “By improving this, businesses can make employees their first line of defence when it comes to cybersecurity, and further protect their organisation and customers from such attacks in the future.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

8 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago