Robinhood trading app hit by data breach
In a blog post, the company said it experienced a ‘data security incident’ on the evening of 3 November when an unauthorised third party obtained access to a limited amount of personal information for some of the platform’s customers.
The platform said the attack had been ‘contained’ and it didn’t believe that any Social Security numbers, bank account numbers, or debit card numbers were exposed to the hackers.
However, a list of email addresses for about five million people, and full names for a different group of approximately two million people were accessed after the unauthorised party ‘socially engineered’ a customer support employee by phone and obtained access to customer support systems.
Robinhood admitted that for about 310 people, additional personal information, including name, date of birth, and postcode, were exposed, with about 10 customers having more extensive account details revealed. The platform said it was in the process of contacting the affected people.
Robinhood said it had rejected a demand for payment and reported the attack to law enforcement agencies and hired a cyber security firm to deal with the incident. Such ransom demands are not uncommon in cyber-attacks and usually amount to a promise not to sell on the compromised data or leak it for free online.
Chris Hauk, consumer privacy champion at Pixel Privacy, said: “I have long held that education is perhaps one of the most important tools a company can use to avoid data breaches like this. Socially engineered attacks like the Robinhood breach can possibly be avoided by educating employees and executives on the methods used by the bad actors of the world.”
Erich Kron, security awareness advocate at KnowBe4, said: “Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one. The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.
“Unfortunately, technology is not good at stopping these attacks, so the best defence against these attempts is education and training. Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organisations should have a policy telling employees how to report these attacks.”