Trading App Robinhood Admits Data Breach

The Robinhood financial stock trading app has admitted a ‘data security incident’ and warned that a third party had obtained access to the email addresses of five million customers.

The admission came in a blog post on Monday, in which the trading platform said the attack had been contained and no social security numbers, bank account numbers, or debit card numbers had been exposed.

“Late in the evening of November 3, we experienced a data security incident,” the platform blogged. “An unauthorised third party obtained access to a limited amount of personal information for a portion of our customers.”

Security incident

“The unauthorised party socially engineered a customer support employee by phone and obtained access to certain customer support systems,” said the platform.

“At this time, we understand that the unauthorised party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.”

But a small number of customers had more sensitive personal information disclosed, after 310 people had their name, date of birth, and postcode compromised.

Ten of these customers had “more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”

“After we contained the intrusion, the unauthorised party demanded an extortion payment,” blogged the platform. “We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

Layered security

The hackers used a similar attack vector, to the spear phishing compromise of a staffer at Twitter in July 2020.

A security expert noted the need to improve staff training to recognise these types of attacks.

“The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error,” noted Chris Deverill, UK director at Orange Cyberdefense.

“The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness,” said Deverill.

“Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively,” said Deverill.

“More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option,” said Orange Cyberdefense’s Deverill.

“This latest data breach is a stark reminder of the critical importance of user awareness and education amongst organisations,” Deverill concluded. “By improving this, businesses can make employees their first line of defence when it comes to cybersecurity, and further protect their organisation and customers from such attacks in the future.”