Investor trading app company Robinhood Markets has confirmed a data breach that affects the personal information of about 7 million customers – roughly a third of its user base. A cyberattacker made off with emails and more, which could lead to follow-on attacks for Robinhood customers.
The trading platform, which found itself in the middle of the infamous GameStop stock price run-up in January, acknowledged that the breach was a result of a system compromise that occurred on Nov. 3. The company said that the adversary was able to target an employee to gain access to sensitive company systems. After that, the perpetrator attempted to extort the company, demanding payment in return for not releasing the stolen data.
“The unauthorized party socially engineered a customer-support employee by phone and obtained access to certain customer support systems,” Robinhood said Monday in a statement. It added, “After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”
For 5 million of the victims, the cybercrook made off with email addresses. For 2 million of them, the attacker also absconded with full names. Meanwhile, names, birth dates and ZIP codes were stolen for 310 people, and “more extensive account details” were heisted for 10 more, the company said.
The good news is that it looks like no Social Security numbers, bank account numbers or debit card numbers were exposed, “and that there has been no financial loss to any customers as a result of the incident,” according to the Monday statement from the firm, which called the incident “contained.”
The company said it’s in the process of notifying affected individuals, who could be targeted with additional, and convincing, social-engineering and phishing attacks using their emails and other personal information gleaned from public sources, experts warned.
But despite this, and despite the scope of the breach, a senior security researcher for DomainTools, Chad Anderson, applauded the company for its transparency.
“This is an unfortunate breach for Robinhood and reads like it could have been prevented with more process,” he said via email. “I have to commend their team for being transparent however with the impact of the breach and timeliness of their information release. Responses like that allow defenders to warn users and position themselves well for what will likely be a round of scams targeting the emails of those users exposed.”
How to Defend Against Socially Engineered Data Breaches
Notably, this breach was the result of duping an employee into falling for a phishing attempt, rather than a hack of internal systems using a vulnerability exploit or other avenue.
Preventing social-engineering attacks is notoriously difficult because in the end, human error is impossible to root out. As a starting point, though, employees should be trained to spot and report social engineering and phishing attacks, and organizations should have a policy telling employees how to report these attacks, according to Erich Kron, security awareness advocate at KnowBe4.
“Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one,” he said via email. “The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line. Unfortunately, technology is not good at stopping these attacks, so the best defense against these attempts is education and training.”
This is especially important in an era when most employees work in a hyper-accelerated data environment, added Trevor Morgan, product manager with data security specialists comforte AG, in an email.
“We have all gotten used to working faster and pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon,” he said. “Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw.”
He added that organizations can do two things: Encourage a security-minded company culture and employ data security.
“One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information,” he explained. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. “Tokenization, for example, not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.”
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at [email protected].