Robinhood Data Breach Nightmare Hinged on Customer Service Slip
Robinhood Markets Inc. caught criticism last year for its shortcomings in customer support. After racing to staff up, the company has a new problem: a customer service representative mishap allowed a hacker to steal the personal information of about 7 million users.
The Menlo Park, California-based brokerage app is reeling from the largest hack in its history, which compromised private details of about one-third of its users. A company statement said the Nov. 3 breach hinged on a phone call where the hacker duped a customer support staffer. It didn’t provide details on how exactly the culprit gained entry.
The intruder made off with email addresses of about 5 million Robinhood users, as well as full names for a separate group of about 2 million, and demanded an extortion payment. For some customers, even more personal data was exposed, including names, birth dates and ZIP codes of about 310 people, and more extensive information belonging to a group of about 10.
“Financial services firms are huge targets because there are always new customers coming: a refresh of identities, a refresh of credentials,” said Bob Rudis, chief data scientist at the cybersecurity firm Rapid7 Inc. “Everyone talks about ransomware, but credentials and identities are still things being sold on the dark web and criminal forums. It’s very valuable data.”
The episode is unfolding as Robinhood works to convince users and watchful regulators that it can live up to the “safety first” mantra its executives often repeat. The high-profile breach shows that the path remains fraught as Robinhood expands rapidly. It also comes as a blow to the brokerage at a moment when it’s angling to get users to entrust more of their financial lives to the app. Robinhood has a waitlist for cryptocurrency wallets, and plans to offer other products including retirement accounts in the future.
Robinhood said it believes no Social Security, bank account or debit-card numbers were exposed in the hack, nor that customers incurred financial losses. It said it contained the breach, notified law enforcement and enlisted security firm Mandiant Inc. to investigate.
Shares of Robinhood fell 3% to $36.85 at 10:24 a.m. in New York.
Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact” and that his firm expects the intruder to continue to target and extort other organizations over the next several months.
In a separate episode last year, almost 2,000 Robinhood accounts were compromised in a hacking spree, where customer accounts were looted. Some complained there was no one available to call.
The firm, which helped popularize free trading, went on a hiring binge for customer-service staff, more than tripling the size of that team in 2020. The brokerage opened offices in Arizona, Texas and Colorado as part of its expansion. It unveiled round-the-clock phone support last month.
–With assistance from Jack Gillum.