DESCRIPTION OF EVENTS
"Investing for Everyone. Commission-free investing, plus the tools you need to put your money in motion. Sign up and get your first stock for free. Certain limitations and fees apply." "Tap into the cryptocurrency market to buy, HODL, and sell Bitcoin, Ethereum, Dogecoin, and more, 24/7 with Robinhood Crypto."
"We believe the financial system should be built to work for everyone. That’s why we create products that let you start investing at your own pace, on your own terms." "Other crypto exchanges charge up to 4% just to buy and sell crypto. We charge 0%." "Industry-leading security. Ownership over your coins. Cold storage for vast majority of our customers’ coins. Crime insurance against theft and cybersecurity breaches."
"The firm, which helped popularize free trading, went on a hiring binge for customer-service staff, more than tripling the size of that team in 2020. The brokerage opened offices in Arizona, Texas and Colorado as part of its expansion. It unveiled 24/7 phone support [in October 2021]." "The online brokerage has about 18.9 million retail clients."
Robinhood "announced Monday [November 8th] that a Nov. 3 data breach resulted in various information about 7 million customers being exposed. For 5 million of them, email address were accessed, and another 2 million had their full names revealed." "A blog post from Robinhood describes the data breach as taking place on November 3."
"Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers."
"Most of them had either their email address or full names exposed, while a small group had more extensive information compromised." "Additionally, personal information including name, date of birth and ZIP code was exposed for about 310 people, and about 10 customers had more extensive account details revealed. Robinhood said it is alerting affected individuals."
"The Menlo Park, California-based brokerage said it believes no Social Security, bank account or debit-card numbers were exposed during the Nov. 3 incident, nor that customers incurred financial losses." "We previously disclosed that, based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people, as well as full names for a different group of approximately two million people. We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze. We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We’ll continue making appropriate disclosures to affected people."
"The attack hinged on a phone call with a customer service representative, whom the intruder used to gain access to support systems, according to the statement. Robinhood said it contained the breach, notified law enforcement and enlisted security firm Mandiant Inc. to investigate the breach." "Robinhood’s blog post did not specifically indicate whether the millions of records were successfully exfiltrated by the attacker, or if they simply had access to that many during the data breach window." "The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems."
"The hacker made threats about what would be done with the compromised information, although it wasn’t a ransomware attack, according to a Robinhood spokesperson, who declined to say whether the firm paid the perpetrator." "After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm." "Whatever lacking security controls that allowed a hacker to trick a Robinhood customer service representative into granting them access to an internal system is a likely focus for its investigation."
"Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact” and that his firm expects the intruder to continue to target and extort other organizations over the next several months."
"But it’s precisely that kind of information that malicious hackers can use to facilitate further attacks against victims, like targeted phishing emails, since names and dates of birth can often be used to verify a person’s identity."
Gary Gardiner, Head of Security Engineering APAC & Japan for Check Point Software, elaborates on the risks that Robinhood users can expect to face as a result of this data breach: “The information leaked here is sensitive and bad news for the Robinhood community. Malicious hackers can use the information leaked to carry out more attacks against the victims, like targeted phishing emails, as names and dates of birth can often be used to verify a person’s identity. We urge Robinhood users to change their passwords immediately, enable two-factor authentication, and to watch out for any suspicious emails in their inboxes. According to our research, 58% of malicious files in the US were delivered via email this year.”
"As a Safety First company, we owe it to our customers to be transparent and act with integrity," Caleb Sima, Robinhood's chief security officer, said in the statement. "Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do."
"Shares of Robinhood were down about 3% in after-hours trading Monday."
Robinhood is one of the largest and most well-known trading applications in the United States. On November 3rd, the platform suffered a breach where the contact information of millions of customers was stolen. The breach happened due to an attacker successfully tricking a support worker into giving access. Robinhood notified all affected users. The attacker attempted to extort the platform for payment. It is unclear if any further attacks have yet been launched against any users whose data was compromised.
HOW COULD THIS HAVE BEEN PREVENTED?
While the best solution is to have platforms require less personal inforamtion, all employees with access to sensitive information need to better protect that information. Access controls around unusual requests would also have prevented this situation.
https://coinmarketcap.com/alexandria/article/millions-of-robinhood-users-hit-by-data-breach (Jan 26)
Commission-free Stock Trading & Investing App | Robinhood (Feb 1)
About Us | Robinhood (Feb 1)
Robinhood Crypto (Feb 1)
Robinhood security breach exposes data on 7M users - BNN Bloomberg (Feb 1)
https://www.cnbc.com/2021/11/09/robinhood-data-breach-involved-7-million-clients-protect-your-credit.html (Feb 1)
https://www.cpomagazine.com/cyber-security/data-breach-of-robinhood-trading-platform-blamed-on-social-engineering-similar-to-2020-twitter-breach/ (Feb 1)
https://blog.robinhood.com/news/2021/11/8/data-security-incident (Feb 1)
Robinhood says millions of customer names and email addresses taken in data breach – TechCrunch (Feb 1)
Robinhood data breach is bad, but we've seen much worse - CNET (Feb 1)
Robinhood discloses breach that exposed information of millions of customers - CNN (Feb 1)
Robinhood Pretty Good At Getting Hacked, Not So Good At Getting Back To Hacking Victims - Dealbreaker (Feb 11)
ipo: Robinhood seeks advisers for potential IPO next year - The Economic Times (Feb 11)
Robinhood Markets - Wikipedia (Feb 11)
https://news.bloomberglaw.com/securities-law/robinhood-security-breach-exposes-data-on-millions-of-customers (Feb 11)