It’s incidents like this that keep us doing those annoying security trainings every year.
Robinhood has announced a data breach revealing around 7 million users’ information after an employee was tricked into providing a hacker with access to internal systems.
The security breach occurred on Nov. 3, and involved an unauthorized person simply calling up the investing app’s customer support. The caller then tricked a Robinhood employee into granting them access to sensitive user information, and managed to collect around 5 million people’s emails and the full names of around 2 million more.
That’s bad enough already, but it gets worse. Robinhood also revealed that around 310 people had further personal information exposed, including their names, dates of birth, and zip codes. Ten of these customers had even more details of their account revealed, but Robinhood did not reveal exactly what information this entailed. Fortunately, Robinhood believes no Social Security numbers, bank account numbers, or credit card numbers were among the information stolen.
You’ve kinda gotta respect the social engineering skill. Most of us would assume that a person authorized to access private user data probably wouldn’t call the public-facing customer support number.
The malicious actor attempted to extort a payment out of Robinhood, though the company declined to reveal to Mashable the amount demanded or if they’d actually paid it. However, a Robinhood spokesperson did tell Mashable the company will continue requiring security training for its employees, including educating them on social engineering attacks, and it is “working to implement new security countermeasures.”
Robinhood further noted in its press release that law enforcement has been informed, and the incident is being investigated by security firm Mandiant. The company is also in the process of disclosing the breach to impacted users.
“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” said Robinhood Chief Security Officer Caleb Sima in a post on the company’s official blog.
Unfortunately, there isn’t much you can do to protect yourself from such violations. If you provide your information to a company, which is then tricked into giving it to a hacker, that’s on them.
If you want to be part of the solution, complete your annoying work-mandated data security training, and hopefully you won’t make the same mistake this Robinhood employee did.