7 million Robinhood customers impacted by the data breach

Trading app hack exposes the most extensive data of 300 users

The trading platform announced that November 3rd was the day the app suffered a hack

Robinhood – a commission-free investing tool and the widely used stock trading platform suffered a data breach.^[1] The company shared the news and stated, that the initial attack happened on November 3rd. The system was hacked and malicious actors accessed private information about more than 7 million customers. Robinhood has disclosed a data breach after their systems were hacked when a threat called customer support service and obtained access to the highly important system of data.

The company states^[2] that hackers demanded payment in exchange for the stolen data. Robinhood decided to quickly involve law enforcement authorities but it remains unclear whether the company gave up and paid demanded money and if so, what exactly was the amount. In the most likely scenario, hackers probably asked for a ransom in Bitcoin, otherwise, the stolen data would be leaked.

Robinhood Chief Security Officer Caler Sima states:

“As a Safety First company, we owe it to our customers to be transparent and act with integrity. Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

It is also announced that the company will work together with the well-known cybersecurity firm Mandiant and will continue to investigate the incident. Mandiant is known for its tactics and plans used to perform incident response after attacks. In the meantime, Robinhood is strongly advising all customers that could have been affected to visit Help Center and secure the two-factor authentication.

Email addresses, names, and zip codes are among the stolen data

Robinhood data breach happens in the wake of similar events: the T-Mobile data breach, which happened back in September and Twitch, in October. In the case of Robinhood, the data breach affects millions of customers, globally. As the company shared in their blog post, a list of email addresses for five million people, and full names for a different group of approximately two million people were obtained.

Additionally, the way a smaller number of people, around 310 in total were affected more seriously. Their additional personal information, like name, date of birth, and zip code, was stolen. At least 10 customers have their whole account details revealed. However, at least at the moment, there is no talk about the possible theft of Social Security numbers, bank account numbers, or debit card numbers.^[3]

The latest events aren't the only problem for Robinhood in the past times. This year company has already suffered due to Congress's attention. Robinhood's name was frequently mentioned in January's stock trading frenzy. During a court hearing which continued for at least 5 years, it was discussed, whether companies' services are beneficial or just plain harmful for retail investors.^[4]

Data breaches cause severe security risks

Data breaches become more and more common and cause huge risks to companies and customers alike. When a breach happens, it is always important to think about what data is involved in the breach, the number of people who will be affected, and what harm may come to them as a result of the breach. Personal data breaches should be reported to ICO under data protection law.^[5]

If someone believes to be a victim of a data breach, the first thing to do is to check whether personal data is involved and establish the type and amount of data that you think has been breached. It is also important to think through who might have access to the data now and how many people might be affected. Even the scrambles of information could help assess a major risk.