Investor trading app company Robinhood Markets has confirmed a data breach that affects the personal information of about 7m customers – roughly a 3rd of its user base. A cyber-attacker stole emails & more, which could lead to follow-on attacks for Robinhood customers.
The cyber-attacker attempted to extort the company after socially engineering a customer service employee to gain access to email addresses & more.
The trading platform, which found itself in the midst of the infamous US Game Stop stock price run-up in Jan., acknowledged that the breach was a result of a system compromise that occurred on Nov. 3.
The company explained that the adversary was able to target an employee to gain access to sensitive company systems. After that, this person attempted to extort the company, demanding payment in return for not releasing the stolen data.
“The unauthorised party socially engineered a customer-support employee by phone & obtained access to certain customer support systems,” Robinhood commented Mon. in a statement.
It added, “After we contained the intrusion, the unauthorised party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”
For 5m of the victims, the cyber-crook made off with email addresses. For 2m of them, the attacker also absconded with full names. Meanwhile, names, birth dates & ZIP codes were stolen for 310 people, & “more extensive account details” were heisted for 10 more, the company outlined.
US Social Security Numbers
The good news is that it looks like no US Social Security numbers, bank account numbers or debit card numbers were exposed, “& that there has been no financial loss to any customers as a result of the incident,” according to the Mon. statement from the firm, which called the incident “contained.”
The company explained it is in the process of notifying affected individuals, who could be targeted with additional, & convincing, social engineering & phishing attacks using their emails & other personal information gleaned from public sources, experts warned.
Despite this, & despite the scope of the breach, a Senior Security Researcher for Domain Tools, Chad Anderson, lauded the company for its transparency.
“This is an unfortunate breach for Robinhood & reads like it could have been prevented with more process,” he revealed.
“I have to commend their team for being transparent however with the impact of the breach & timeliness of their information release. Responses like that allow defenders to warn users & position themselves well for what will likely be a round of scams targeting the emails of those users exposed.”
Socially Engineered Data Breaches
This breach was the result of deceiving an employee into falling for a phishing attempt, rather than a hack of internal systems using a vulnerability exploit or other avenue.
Preventing social-engineering attacks is notoriously difficult because in the end, human error is impossible to root out.
As a starting point, though, employees should be trained to spot & report social engineering & phishing attacks, & organisations should have a policy telling employees how to report these attacks, according to Erich Kron, security awareness advocate at KnowBe4.
“Social engineering continues to play a significant role in spreading malware & ransomware as well as in breaches such as this one,” he observed.
“The bad actors behind these attacks are often highly-skilled & very convincing when they get a potential victim on the line. Unfortunately, technology is not good at stopping these attacks, so the best defence against these attempts is education & training.”
This is especially important in an era when most employees work in a hyper-accelerated data environment, added Trevor Morgan, Product Manager with data security specialists Comforte AG, in an email.
“We have all gotten used to working faster & pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon,” he stated.
“Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw.”
He added that organisations can do 2 things: Encourage a security-minded company culture & employ data security.
“(1), build an organisational culture that values data privacy & encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information,” he explained.
(2), IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data.
“Tokenisation, for example, not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications & users can still work with the data in protected states.
If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.”