On November 3, the online investing platform Robinhood experienced a data breach where a hacker obtained access to the personal information of millions of its customers.
The company said in a statement that no social security numbers, bank account numbers or debit card numbers had been exposed.
‘There has been no financial loss to any customers as a result of the incident,’ said the company in yesterday’s statement.
The hacker is said to have gained access by tricking a customer support employee by phone to obtain access to certain customer support systems.
Email addresses for approximately five million people and full names for a different group of approximately two million users have reportedly been stolen.
Additionally, personal information, including name, date of birth, and zip code for 310 people have also been also exposed. Approximately 10 customers had more extensive account details revealed.
‘We are in the process of making appropriate disclosures to affected people,’ said the company.
Robinhood said that the hacker demanded an extortion payment but it’s unclear if the company gave in to the demands. The firm said that it ‘promptly informed law enforcement’ and was continuing the investigation into the incident with the help of security firm Mandiant.
The California-based company went on to assure that the attack had since been contained.
‘As a Safety First company, we owe it to our customers to be transparent and act with integrity,’ said Robinhood Chief Security Officer Caleb Sima.
‘Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,’ he added.
More than 22 million users have funded accounts at Robinhood, with nearly 19 million actively using theirs in September.
Cyber security experts say that the incident highlights the need to train employees to recognise phishing attempts and detect malicious activity that could enable them to stop cybercriminals in their tracks
“The fact that malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness,’ said Orange Cyberdefense’ UK director, Chris Deverill.
The latest cyberattack on Robinhood is a reminder of the need for organisations to adopt a layered security strategy that takes into account human error.
‘More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option,’ added Deverill.
Following the news, Robinhood shares fell 3.1% in after-hours trading.
Robinhood is known for being an easy and accessible tool for young investors. During the pandemic, the app had added about 13 million users with an average age of 31.
The company has been criticised for allowing young, inexperienced users to trade on the app.
In June, Robinhood was fined $57 million by the Financial Industry Regulatory Authority for technical failures and ordered to pay $13 million in restitution to thousands of customers.
In a separate incident last year, almost 2,000 Robinhood accounts were compromised in a hack and users complained that there was no one available to call.
Since then, the company has been working overtime to project itself as a reliable brokerage for new investors. In 2020, the firm went on a hiring spree for customer-service staff and more than tripled in size with offices in Arizona, Texas and Colorado as part of its expansion. It had also unveiled 24/7 phone support last month.