Robinhood’s breach brings lawsuit
Robinhood Markets Inc. is now facing a lawsuit for its recent data breach, one that saw about 7 million individuals have their personal data stolen, or one-third of Robinhood’s total userbase. Hackers in this case utilized social engineering, fooling a customer service representative over the phone, which allowed them entry. Once again, it’s interesting how one single plank missing can scuttle the whole vessel when it comes to data security. Email addresses were stolen, along with full names, thousands of phone numbers, and even birthdays and zip codes for a smaller number.
Employment at Robinhood has soared in recent years, as the company has constantly found itself in the news for online stock trading, such as the wild rides that were the Gamestop and AMC short selling sagas. Perhaps that accounts for the rise in hires, but the flip side of that is an enlarged attack surface: more human access points to compromise. Just last month, Robinhood instituted enhanced phone support for customer service, a notable step after another data breach in 2020 had affected customers complaining about a lack of anyone to help them on the phone.
The value of personal data—people’s credentials and identities—has not diminished on the dark web just because of ransomware’s rise. Such data can still provide an alluring target for cyber criminals. For its part, Robinhood states that no Social Security numbers, bank account or card information appear to have been accessed. Furthermore, the company is fighting back against the suit, on the grounds that no customers experienced financial losses. I don’t know if enough time has passed to determine that yet, but that’s the gist of their objection.
An investigation by Mandiant, a security firm that Robinhood hired after the breach, predicts that the culprit will go after other firms in the same way in the near future. Hopefully the next targets will make it a bit more difficult to infiltrate the network than tricking someone on the phone. We already know how precarious an organization’s security postures can be; every incident like this only reinforces that fact, for how mind boggling it may be that one person’s accidental stumble could result in a major data breach.