Stock trading app Robinhood hit by mega data breach

Humans are often times the weakest link in the chain, suggests cybersecurity experts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Trading platformRobinhoodhas announced that more than seven million of its customers have been impacted by a data breach.

“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,”disclosedRobinhood on its own accord.

The platform, which earned infamy during theGameStop saga, shared that the attack was orchestrated by socially engineering a lone customer support executive over the phone to obtain access to certain customer support systems.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

Through this access, the attacker was able to pull up a list of email addresses for about five million people, and full names for a separate group of two million people.

Damage control

A smaller group of about 310 users lost additional personally identifiable information (PII), including their names, dates of birth, and zip codes, while “more extensive account details” were revealed about another ten customers.

Robinhood claims that it was able to contain the incident, and is continuing to investigate the incident with the help ofcybersecurityfirm Mandiant.

Robinhood also shared that it was approached by the attackers who sought an “extortion payment.” However, the platform says it instead notified law enforcement, though it didn’t explicitly mention that it did not engage with the perpetrators.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Weakest link

Cybersecurity expertsTechRadar Prospoke to says the incident is a reminder that humans are oftentimes the weakest link in the ecosystem.

“To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data. This can be challenging for financial services companies with employeesworking remotely from homeand customer data and systems becoming more distributed across on-premises,cloudandSaaSinfrastructures,” says Ken Westin, Director, Security Strategy, Cybereason.

Alicia Townsend, technology evangelist withidentity managementexperts OneLogin agrees, adding that “this incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.”

Thwarting social engineering attacks

However, Trevor Morgan, product manager with data security specialists comforte AG says training doesn’t address the root problem that helps facilitate social engineering attacks such as this.

Morgan says most employees work in a hyper-accelerated data environment, where any delay in providing or sharing information can halt progress. He believes this is exactly the vulnerability that social engineering preys upon.

To eradicate the problem, Morgan suggests businesses should build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information.

Furthermore, he suggests IT leaders consider data-centric security as a means to protect sensitive data itself rather than the perimeters around data.

“Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised,“ explains Morgan.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well