The Robinhood financial stock trading app has admitted a ‘data security incident’ and warned that a third party had obtained access to the email addresses of five million customers.

The admission came in a blog post on Monday, in which the trading platform said the attack had been contained and no social security numbers, bank account numbers, or debit card numbers had been exposed.

“Late in the evening of November 3, we experienced a data security incident,” the platform blogged. “An unauthorised third party obtained access to a limited amount of personal information for a portion of our customers.”

Security incident

“The unauthorised party socially engineered a customer support employee by phone and obtained access to certain customer support systems,” said the platform.

“At this time, we understand that the unauthorised party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.”

But a small number of customers had more sensitive personal information disclosed, after 310 people had their name, date of birth, and postcode compromised.

Ten of these customers had “more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”

“After we contained the intrusion, the unauthorised party demanded an extortion payment,” blogged the platform. “We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

Layered security

The hackers used a similar attack vector, to the spear phishing compromise of a staffer at Twitter in July 2020.

A security expert noted the need to improve staff training to recognise these types of attacks.

“The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error,” noted Chris Deverill, UK director at Orange Cyberdefense.

“The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness,” said Deverill.

“Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively,” said Deverill.

“More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option,” said Orange Cyberdefense’s Deverill.

“This latest data breach is a stark reminder of the critical importance of user awareness and education amongst organisations,” Deverill concluded. “By improving this, businesses can make employees their first line of defence when it comes to cybersecurity, and further protect their organisation and customers from such attacks in the future.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

DeepMind Co-Founder Suleyman Departs For Investment Firm

DeepMind co-founder Mustafa Suleyman leaves parent company Google for Silicon Valley venture capital firm after…

6 hours ago

US Legislation To Boost Chip Funding Set For House

US House of Representatives set to introduce bill on tech funding and domestic chip manufacturing,…

7 hours ago

Intel Says Ohio Site Could Become World’s Biggest Chip Plant

Intel chooses Ohio site for manufacturing investment that could grow to $100bn over ten years,…

7 hours ago

Digital Bank Chime Financial Plans Massive IPO

Chime Financial plans New York IPO worth up to $40bn after Covid-19 pandemic leads to…

8 hours ago

Twitter Shake-Up Sees Departure Of Top Security Staff

Twitter says head of security no longer at company and chief information security officer to…

8 hours ago

Google Asks Judge To Dismiss Most Of Texas Antitrust Case

Google asks federal judge to dismiss most counts of antitrust case filed by Texas and…

9 hours ago